Author Archives: admin

SSAE 16 Terminology – Criteria

Criteria, as defined by the SSAE 18 (formerly SSAE 16) guidance are:

The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.

There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.

This definition and information is consistent in SSAE-18.

SOC 3 Report – WebTrust and SysTrust

The SOC 3 Report , just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system). The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.

The Trust Service Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction (online retailer), builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.

The SysTrust review encompasses a combination of the following principles:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.

The WebTrust certification can fall into the following four categories:

  • WebTrust. The scope of the engagement includes any combination of the trust principles and criteria .
  • WebTrust Online Privacy. The scope of the engagement is based upon the online privacy principle and criteria.
  • WebTrust Consumer Protection. The scope of the engagement is based upon the processing integrity and relevant online privacy principles and criteria.
  • WebTrust for Certification Authorities. The scope of the engagement is based upon specific principles and related criteria unique to certification authorities.

SSAE 16 and the Federal HealthCare Exchange

With the issues surrounding HealthCare.gov and the various contractors who played a role in the development, one question that comes to mind is: How many of the over 50 companies contracted had an SSAE 16 (SOC 1) audit performed over the services they were providing?

This is important to know and could be part of the reasons why the development efforts appear to have fallen short of best practices.

The standard change management / development process should flow accordingly:

  1. Define scope of the project or individual change / fix planned for development
  2. Review of the request and development plan by a committee to validate the appropriateness, priority, and potential conflicts that could arise.
  3. If approved, determine a high level development plan including dependencies and interfaces, create test procedures to validate the change, and roll back procedures.
  4. Complete the development / coding required.
  5. Development and end users perform robust testing / QA based on the test procedures and their standard use of the application.
  6. Project manager or appropriate Management personnel perform a final review and approve for promotion into production or main branch of the application (if multiple concurrent changes being made).
  7. Validate functionality of application post-implementation to further ensure no issues exist.

From the information currently available it appears that in the rush to meet Organizational goals and tight deadlines, steps 5-7 were performed hastily leading to unexpected issues once the system went live. It was even mentioned that basic Alpha testing of the entire exchange ecosystem was barely completed before the roll out. This experience proves more than ever that having a properly controlled change management process with a priority placed on testing is key when performing development activities impacting the core functionality of an application. The complexity of this project just serves to further highlight these basic, but often overlooked, steps.

healthcare exchange ssae 16 audit

Chances are that if the various contractors used to develop the Health Exchange were audited regularly, these controls would have had a higher priority placed on them within their respective Organizations and performed accordingly at the risk of failing their next SSAE 16 audit and creating the mess we are in today.

These miscues serve as a perfect example of knowing and being comfortable with the controls in place at a contracted 3rd party service provider. This assurance is what an SSAE 16 audit is intended to provide and why they are so important in today’s business environment.

Are Service Provider Contract Updates Needed with SSAE 18?

While some companies still request a SAS 70 report (why, who knows…), many contracts now require a SSAE 16 report, and with the change to SSAE 18 many are now asking, what is the right language to use going forward? To fix this, the AICPA is now stating the standard number or reference should no longer to be used, and formally referred to as a SOC 1 report. This will hopefully help to prevent this situation in the future when new updates are inevitably implemented (SSAE 19, 20, …). A minor, but, helpful change.

So – while you do not *have* to update your contracts, it’s typically the best course of action, and now, going forward you shouldn’t have to worry about it again.

Are there any other nagging items like this you are running into? If so, contact us or leave a comment and we will do our best to clarify.