November 18, 2017

Tag Archives: SSAE 16 Terminology

SSAE 16 Terminology – Controls at a Service Organization


Controls at a Service Organization refer to the controls that are in place at your company.

Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.

Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.

Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 16 Terminology – Carve-out Method


When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts dedicated to explaining the various terminology that you should be aware of to ensure when the auditors are explaining things to you, you don’t lost in the jargon.

Today we will discuss the Carve-out Method.

When management is in the process of writing their description of their system (‘management’s description of the service organization’s system’), there are various ways to address controls or functions relevant to the processes that are outsourced to another organization (‘subservice organization’). Using the carve-out method, you would exclude the subservice organization’s relevant control objectives and related controls from management’s description and scope of the service auditor’s engagement.

Now, this doesn’t mean you don’t need to address the controls that take place at a subservice organization, what it means is that you will need to have controls in place to monitor the effectiveness of the controls at the subservice organization. The most typical way to address this would be to obtain an SSAE 16 from the subservice organization, assuming the relevant controls were covered within their report.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 16 Terminology – Criteria


Criteria, as defined by the SSAE 16 guidance are:

The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.

There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.

This definition and information is consistent in SSAE-18.