Tag Archives: SSAE 16

SSAE 16 and the Federal HealthCare Exchange


With the issues surrounding HealthCare.gov and the various contractors who played a role in the development, one question that comes to mind is: How many of the over 50 companies contracted had an SSAE 16 (SOC 1) audit performed over the services they were providing?

This is important to know and could be part of the reasons why the development efforts appear to have fallen short of best practices.

The standard change management / development process should flow accordingly:

  1. Define scope of the project or individual change / fix planned for development
  2. Review of the request and development plan by a committee to validate the appropriateness, priority, and potential conflicts that could arise.
  3. If approved, determine a high level development plan including dependencies and interfaces, create test procedures to validate the change, and roll back procedures.
  4. Complete the development / coding required.
  5. Development and end users perform robust testing / QA based on the test procedures and their standard use of the application.
  6. Project manager or appropriate Management personnel perform a final review and approve for promotion into production or main branch of the application (if multiple concurrent changes being made).
  7. Validate functionality of application post-implementation to further ensure no issues exist.

From the information currently available it appears that in the rush to meet Organizational goals and tight deadlines, steps 5-7 were performed hastily leading to unexpected issues once the system went live. It was even mentioned that basic Alpha testing of the entire exchange ecosystem was barely completed before the roll out. This experience proves more than ever that having a properly controlled change management process with a priority placed on testing is key when performing development activities impacting the core functionality of an application. The complexity of this project just serves to further highlight these basic, but often overlooked, steps.

healthcare exchange ssae 16 audit

Chances are that if the various contractors used to develop the Health Exchange were audited regularly, these controls would have had a higher priority placed on them within their respective Organizations and performed accordingly at the risk of failing their next SSAE 16 audit and creating the mess we are in today.

These miscues serve as a perfect example of knowing and being comfortable with the controls in place at a contracted 3rd party service provider. This assurance is what an SSAE 16 audit is intended to provide and why they are so important in today’s business environment.

What does Management Need to Provide the Auditors?


If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it?

A high level explanation per the SSAE 16 Guidance:

(1) access to all information, such as records and documentation, including service
level agreements, of which management is aware that is relevant to the
description of the service organization’s system and the assertion;
(2) additional information that the service auditor may request from management for
the purpose of the examination engagement;
(3) unrestricted access to personnel within the service organization from whom the
service auditor determines it is necessary to obtain evidence relevant to the
service auditor’s engagement; and
(4) written representations at the conclusion of the engagement

Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16.

Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation.

The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access, it would be impossible for the auditors to have a clear understanding of the processes when testing your controls. However, this shouldn’t be viewed as a negative, it will help your employees improve their processes in the future by gaining tips and insight from the auditors that will help them be better prepared for next year’s audit. Also, it will help clear up any potential findings or issues the auditors find, as in many cases there is no problem and an explanation is all that is needed, making the audit go MUCH smoother.

All of the documentation and information provided will never be seen by anyone other than the auditors performing the testing. The documentation is needed for the service auditors to assess the design and operating effectiveness of your controls. Once the testing and review phases are complete, your report will be issued and all that will be included is whether you either passed or failed that control, so don’t worry!

If you have any questions feel free to leave them in the comments section below and we will do our best to respond!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

The biggest update in SSAE 18 as it relates to this post is a Company is now required to provide the auditor a detailed risk assessment based around key internal risks where there is potential for material misstatement and supporting controls.

Please use the contact provider form to connect with a qualified professional to answer anymore questions.

SOC 1 Report


A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18).

Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:

In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future.

Please see the SOC 1 Reporting Guide page for additional information.

SSAE 16 Terminology – Controls at a Service Organization


Controls at a Service Organization refer to the controls that are in place at your company.

Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.

Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.

Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.