SSAE 16

Why have an SSAE 16 Review Performed?

Some organizations have heard of SAS 70, SSAE 16, and soon to be SSAE 18, but, don’t really know WHY they need to pay to have a bunch of auditors trounce through their company for a month or two during the year, especially right after their financial audit just finished.
The answer is simple: Many companies will not even think about using your company to perform services for them without a clean Type II Report in place.
Some benefits of having an SSAE 16 performed:

  • Ability to perform outsourcing services for Public Companies.
    • If performing financially significant duties for a Public Company, they are required to use a SSAE 16 qualified provider as it is the only way to give investors assurance over controls that are not performed by the Company in question.
  • Public and Private companies are more likely to trust your organization with their data.
    • If you were to trust a company with your data, you would want complete assurance it will be handled with the utmost care
  • A year round accessible knowledge source (your auditors).
    • As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce your questions and concerns off of a group of trusted individuals.
  • A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
    • Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve to ensure everything functions well the following period.
  • Improving performance of the organization.
    • Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.

Think of the SSAE 16 or SSAE-18 audit as an annual investment into your company, increasing potential new clients, productivity and accountability.

SSAE 16 Terminology – Carve-out Method

When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon.

Today we will discuss the Carve-out Method.

When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.

Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 16, The New Standard

So you have been performing a SAS 70 for the last couple years, or, are getting ready prepared to embark on your first SAS 70, and all of a sudden you hear that a brand new standard has been issued!

Don’t worry about it!
SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your company and the rest of the companies in the US up to date with new international service organization reporting standards, ISAE 3402. This will help allow you and your counterparts in the US be able to compete on an international level, allowing for companies around the world to be able to use YOU as their service organization with complete comfort.
One very important issue that you should be very aware of is that SSAE 16 will formally be issued in June 2010 with an effective date of June 15, 2011, meaning that if you are not on top of this new standard soon, you need to be. Many organizations have a 12 month testing period that begins in July, and if this sounds like your company, you will be required to be compliant with the New Standards as of July 1, 2010.

Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042:

1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:

  • The fairness of the presentation of the description of the service organization’s system;
  • The suitability of the design of the controls to achieve the related control objectives stated in the description; and
  • The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Changes that Directly Impact Type II Engagements

1) The Service Auditor’s opinion on the fairness of the presentation of description of the service organization’s system and on the suitability of the design of the controls would be for a full period, as opposed to a specified date. (i.e. Your report would be for the 6 months covering July 2010 through December 2010.)

  • The Type II report would identify the customers to whom use of the report is restricted as “customers of the service organization’s system during some or all of the period covered by the service auditor’s report”

2) Evidence obtained in prior engagements related to the satisfactory operation of controls in prior periods will not be sufficient to reduce the amount of testing performed.

Expected Change Which Didn’t Occur:

While it was expected that SSAE 16 would build upon the previous SAS 70 standard of reporting only on financial reporting activities and allow a service organization to branch out in to other areas of their business, such as regulatory compliance and performance metrics, this was not included within the initial final version of the New Standard and there has been no guidance as to when it would be expected, if ever, to be.

The Previously Expected Change Which Didn’t Occur, Now Has with SSAE-18!

The long awaited update that was needed, but, left unaddressed the during the last update has now been addressed, allowing a service organization to branch out into other areas of their business. This allows coverage of regulatory compliance, performance metrics, and any other set of agreed-upon procedures with definable metrics.

This is a very welcomed enhancement to the standard and service organizations should contact a service provider today to learn more about how SSAE-18 can benefit them.

SSAE-18 reports will be effective for reports issued after May 1, 2017.

SSAE 18 (SSAE 16) Preparation Tips

This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins.

What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right.
What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately.

Many times people try to speed this process up and slack on it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs.

Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report.
We have seen issues like this cause delays in issuing of the report to the client and running additional fees, since adjusting controls isn’t free. Coming from the perspective of the auditor, we can let you know the pitfalls, consequences and how to best navigate the audit process. If you have any comments or questions please leave them below!