SOC 1

SSAE 16 and the Federal HealthCare Exchange


With the issues surrounding HealthCare.gov and the various contractors who played a role in the development, one question that comes to mind is: How many of the over 50 companies contracted had an SSAE 16 (SOC 1) audit performed over the services they were providing?

This is important to know and could be part of the reasons why the development efforts appear to have fallen short of best practices.

The standard change management / development process should flow accordingly:

  1. Define scope of the project or individual change / fix planned for development
  2. Review of the request and development plan by a committee to validate the appropriateness, priority, and potential conflicts that could arise.
  3. If approved, determine a high level development plan including dependencies and interfaces, create test procedures to validate the change, and roll back procedures.
  4. Complete the development / coding required.
  5. Development and end users perform robust testing / QA based on the test procedures and their standard use of the application.
  6. Project manager or appropriate Management personnel perform a final review and approve for promotion into production or main branch of the application (if multiple concurrent changes being made).
  7. Validate functionality of application post-implementation to further ensure no issues exist.

From the information currently available it appears that in the rush to meet Organizational goals and tight deadlines, steps 5-7 were performed hastily leading to unexpected issues once the system went live. It was even mentioned that basic Alpha testing of the entire exchange ecosystem was barely completed before the roll out. This experience proves more than ever that having a properly controlled change management process with a priority placed on testing is key when performing development activities impacting the core functionality of an application. The complexity of this project just serves to further highlight these basic, but often overlooked, steps.

healthcare exchange ssae 16 audit

Chances are that if the various contractors used to develop the Health Exchange were audited regularly, these controls would have had a higher priority placed on them within their respective Organizations and performed accordingly at the risk of failing their next SSAE 16 audit and creating the mess we are in today.

These miscues serve as a perfect example of knowing and being comfortable with the controls in place at a contracted 3rd party service provider. This assurance is what an SSAE 16 audit is intended to provide and why they are so important in today’s business environment.

Are Service Provider Contract Updates Needed with SSAE 18?


While some companies still request a SAS 70 report (why, who knows…), many contracts now require a SSAE 16 report, and with the change to SSAE 18 many are now asking, what is the right language to use going forward? To fix this, the AICPA is now stating the standard number or reference should no longer to be used, and formally referred to as a SOC 1 report. This will hopefully help to prevent this situation in the future when new updates are inevitably implemented (SSAE 19, 20, …). A minor, but, helpful change.

So – while you do not *have* to update your contracts, it’s typically the best course of action, and now, going forward you shouldn’t have to worry about it again.

Are there any other nagging items like this you are running into? If so, contact us or leave a comment and we will do our best to clarify.

The SSAE 18 Audit Standard (Updates and Replaces SSAE-16)


SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16, and, obviously the relic of audit reports, SAS 70. The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships. These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.

SSAE18 is now effective as of May 1, 2017, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their System and Organization Controls (SOC) Report under the SSAE-18 standard in an SOC 1 Report. The SOC 1 report produced will look and feel very similar to the one issued under SSAE-16, it will just contain a couple additional sections and controls to further enhance the content and quality, and thus, the ability for third parties to rely on.

What’s New in SSAE 18?

As mentioned above, there are a couple key changes that Companies currently performing a SOC 1 or 2, or, will be performing one in the near future, need to take into consideration this year and going forward.

  1. Service Organizations will need to implement a formal Third Party Vendor Management Program
  2. Service Organizations will need to implement a formal Annual Risk Assessment process

In addition to the control based changes, your SOC report should also now contain two additional sections describing the risk assessment process, as well as, the Subservice Organizations that play a role in the overall operation of the system and the corresponding controls they impact or have complete ownership of. These two components were typically present in SOC 2 reports previously, but, not formally required. Now, this concept is being formalized and extended to all SOC reports going forward.

Now, for companies that have not previously undergone a SOC 1 audit because their service / operations were not financially significant, SSAE 18 now expands the definition of what is allowed to be reported on to include an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance. This now allows for an official, independent review, of a wide-range of operations under a trusted and consistent set of auditing and reporting guidelines.

Who Needs an SSAE 18 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SOC 1 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

How Does My Company Best Prepare?:

Before starting the SSAE 18 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE18, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 18, for a more detailed ‘checklist’ – please see The SSAE 18 Checklist.

The SSAE16 Auditing Standard


SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.

SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

The soon to be effective, SSAE-18, is expected to follow a similar reporting structure to the SSAE-16 within a SOC 1 report.

Who Needs an SSAE 16 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

What you Need to Know:

Before starting the SSAE 16 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE16, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 16, for a more detailed ‘checklist’ – please see The SSAE 16 Checklist

You may have heard SSAE-18 is on the horizon for reports issued as of May 1, 2017. There are some important updates discussed in here: SSAE-18 – An Update to SSAE-16.

As the standard is formalized and the date approaches we will continue to provide more information to help you prepare for these changes.