Posts Tagged: SSAE 16
Tuesday, May 14th, 2013
A SOC 1 Report (Service Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance.
Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:
In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future.
Please see the SOC 1 Reporting Guide page for additional information.
Tags: example soc 1 report, soc 1, soc 1 report, soc 1 reports, soc 1 type 2, soc 1 type 2 report, soc 1 type ii report, soc 2, SOC 3, soc i, SOC Report, soc reporting, soc type, soc type 1 report, soc-1 report, soc1, soc1 report, soc1 reporting, soc1 soc2, SSAE 16, ssae 16 report, ssae 16 reports, ssae 16 soc 1, ssae16 compliant soc 1, what is a soc 1 report, what is a soc1 report, what is ssae 16 soc 1 and soc 2 difference
Posted in SSAE 16, SSAE 16 Type II | 15 Comments »
Friday, April 5th, 2013
I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SSAE 16 Report Type I or Type II. So, I will give you guys a breakdown of some of the things you should be doing now, and some things to think about down the line as you progress.
This SSAE 16 Checklist is geared towards service organizations whom have never done a SAS 70 in the past and will be taking up the task this coming year when SSAE 16 will be in full effect. A more detailed version geared towards companies that have some experience being audited will be coming down the line.
- Do your research.
- You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable.
- Find a few CPA firms who perform SSAE 16′s (or SAS 70).
- You will want to research a number of firms that could perform and sign off on your SSAE 16 Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.
- Some things to consider:
1. The size of your company – You may not be able to afford a large CPA firm.
2. The clientele you are attracting – Some companies will not feel secure with the quality of your SSAE 16 if it was performed by a firm that isn’t well known.
3. Total SSAE 16′s or SAS 70′s performed – You do not want to use a company who has never done such work in the past, unless they are comprised of former employees of another quality firm and have decided to take off on their own.
4. The methodology employed – You will want to quiz the companies and gain comfort around their methods and ensure you are comfortable with their responses and agree based upon your research.
- Narrow your search.
- Based upon how you felt about each company, the people, the methodology, their previous experience, and of course, cost, you should narrow down your search to the top 2 companies.
- Pricing for SSAE 16′s and SAS 70′s can vary greatly depending upon the company performing the work and the size of your organization, however, I wouldn’t expect to pay any less than $25,000-$30,000.
- You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.
- Define the scope.
- Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process. Not doing so could lead to excessive delays and potential cost overruns.
- Define your control objectives and activities.
- In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreeance. If this isn’t completed prior to testing, you are asking for a world of trouble.
- Perform a Readiness Assessment.
- You can either choose to perform a readiness assessment on your own, based upon the test steps already defined, or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another firm who is skilled in preparing companies for audits.
These steps laid out here will set you on your way to getting your SSAE 16 started up and going and should help to guide you through the toughest parts of the process. Once you have completed all of the steps we have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.
If you have any further questions please Contact Us!
Tags: checklist, control activities, control objectives, readiness assessment, SAS 70, SAS70, scope, soc 1 review checklist, soc checklist, SSAE 16, ssae 16 audit checklist, ssae 16 checklist, SSAE 16 Preparation, ssae 16 process mapping guide, ssae 16 report, SSAE 16 Review, ssae 16 review checklist, ssae 16 testing definition, ssae 16 type ii
Posted in SSAE 16, SSAE 16 Preparation | No Comments »
Wednesday, March 27th, 2013
Some organizations have heard of SAS 70 or SSAE 16, but, don’t really know WHY they need to pay to have a bunch of auditors trounce through their company for a month or two during the year, especially right after their financial audit just finished.
The answer is simple: Many companies will not even think about using your company to perform services for them without a clean Type II Report in place.
Some benefits of having an SSAE 16 performed:
- Ability to perform outsourcing services for Public Companies.
- If performing financially significant duties for a Public Company, they are required to use a SSAE 16 qualified provider as it is the only way to give investors assurance over controls that are not performed by the Company in question.
- Public and Private companies are more likely to trust your organization with their data.
- If you were to trust a company with your data, you would want complete assurance it will be handled with the utmost care
- A year round accessible knowledge source (your auditors).
- As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce your questions and concerns off of a group of trusted individuals.
- A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
- Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve to ensure everything functions well the following period.
- Improving performance of the organization.
- Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.
Think of the SSAE 16 as an annual investment into your company, increasing potential new clients, productivity and accountability.
Tags: is ssae 16 needed, reports, reviewing ssae 16, SSAE 16, ssae 16 audit review, SSAE 16 Review, ssae 16 review checklist, ssae 16 reviews, ssae review, ssae reviews, SSAE16, ssae16 review, standards, third party ssae guidance review, who is required to have a ssae 16, who is required to have ssae 16, why get ssae 16
Posted in SSAE 16, SSAE 16 Type II | 2 Comments »
Sunday, March 24th, 2013
When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon.
Today we will discuss the Carve-out Method.
When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.
Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.
Tags: carve out method sas 70, carve out methode, carve out methodology, carve out process, Carve-out Method, sas 70 carve out method, SSAE 16, ssae 16 carve out, ssae 16 carve-out method, ssae 16 review checklist, SSAE 16 Terminology, ssae 16 terms, ssae carve out method, ssae16 carve out, ssae16 carve out method, Subservice Organization, what is carve out method
Posted in SSAE 16, SSAE 16 Terminology | 1 Comment »
