Tag Archives: ssae-18

What does Management Need to Provide the Auditors?


If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors? What will they do with it once they have it?

A high level explanation per the SSAE 16 Guidance:

(1) access to all information, such as records and documentation, including service
level agreements, of which management is aware that is relevant to the
description of the service organization’s system and the assertion;
(2) additional information that the service auditor may request from management for
the purpose of the examination engagement;
(3) unrestricted access to personnel within the service organization from whom the
service auditor determines it is necessary to obtain evidence relevant to the
service auditor’s engagement; and
(4) written representations at the conclusion of the engagement

Basically, you must give up anything needed by the service auditor that will permit them to attest to “Management’s description of the service organization’s system”, the main change associated with SSAE 16.

Many of the controls at your organization will be reliant upon documents such as service level agreements and subservice organization’s SSAE 16 reports. Controls will also require you to pass off policies and procedures, organizational charts, job descriptions, firewall configurations, and other internal documentation.

The most intrusive part of the SSAE 16 Review is that the auditors will need to talk to any and all of the employees that have a role in performing the controls being tested. Without that access, it would be impossible for the auditors to have a clear understanding of the processes when testing your controls. However, this shouldn’t be viewed as a negative, it will help your employees improve their processes in the future by gaining tips and insight from the auditors that will help them be better prepared for next year’s audit. Also, it will help clear up any potential findings or issues the auditors find, as in many cases there is no problem and an explanation is all that is needed, making the audit go MUCH smoother.

All of the documentation and information provided will never be seen by anyone other than the auditors performing the testing. The documentation is needed for the service auditors to assess the design and operating effectiveness of your controls. Once the testing and review phases are complete, your report will be issued and all that will be included is whether you either passed or failed that control, so don’t worry!

If you have any questions feel free to leave them in the comments section below and we will do our best to respond!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

The biggest update in SSAE 18 as it relates to this post is a Company is now required to provide the auditor a detailed risk assessment based around key internal risks where there is potential for material misstatement and supporting controls.

Please use the contact provider form to connect with a qualified professional to answer anymore questions.

SOC 1 Report


A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance (and soon to be SSAE 18).

Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:

In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance and will be discussed in further detail in the future.

Please see the SOC 1 Reporting Guide page for additional information.

SSAE 16 Terminology – Controls at a Service Organization


Controls at a Service Organization refer to the controls that are in place at your company.

Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.

Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.

Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

The SSAE16 Auditing Standard


SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.

SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

The soon to be effective, SSAE-18, is expected to follow a similar reporting structure to the SSAE-16 within a SOC 1 report.

Who Needs an SSAE 16 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

What you Need to Know:

Before starting the SSAE 16 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE16, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 16, for a more detailed ‘checklist’ – please see The SSAE 16 Checklist

You may have heard SSAE-18 is on the horizon for reports issued as of May 1, 2017. There are some important updates discussed in here: SSAE-18 – An Update to SSAE-16.

As the standard is formalized and the date approaches we will continue to provide more information to help you prepare for these changes.