Tag Archives: SSAE No. 16

SSAE 16 Terminology – Controls at a Service Organization

Controls at a Service Organization refer to the controls that are in place at your company.

Many of these controls should be covered within your policies and procedures, as they should reflect an accurate depiction of the various processes that occur within your organization. Accurate policies and procedures (P&P) should be designed, implemented, and documented by the service organization. When the service auditor is testing the effectiveness of your control objectives and activities, your P&P support the achievement of the control objectives. While P&P are not enough to determine that a process is operating effectively, they can support the design effectiveness of a control.

Typically a service auditor will perform testing, beyond P&P, around the control objectives and activities to support the fact that employees are performing their duties in accordance with the P&P, because without the additional testing, it would be impossible have comfort that they are actually being followed.

Simply put, good policies and procedures will only get you so far during an audit because you still need to prove to the auditors that the functions management say are being performed are being carried out correctly.

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 16, The New Standard

So you have been performing a SAS 70 for the last couple years, or, are getting ready prepared to embark on your first SAS 70, and all of a sudden you hear that a brand new standard has been issued!

Don’t worry about it!
SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, the SAS70, with some changes that will help bring your company and the rest of the companies in the US up to date with new international service organization reporting standards, ISAE 3402. This will help allow you and your counterparts in the US be able to compete on an international level, allowing for companies around the world to be able to use YOU as their service organization with complete comfort.
One very important issue that you should be very aware of is that SSAE 16 will formally be issued in June 2010 with an effective date of June 15, 2011, meaning that if you are not on top of this new standard soon, you need to be. Many organizations have a 12 month testing period that begins in July, and if this sounds like your company, you will be required to be compliant with the New Standards as of July 1, 2010.

Major differences between SAS 70 and the New Standard, SSAE 16 and ISAE 3042:

1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:

  • The fairness of the presentation of the description of the service organization’s system;
  • The suitability of the design of the controls to achieve the related control objectives stated in the description; and
  • The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Changes that Directly Impact Type II Engagements

1) The Service Auditor’s opinion on the fairness of the presentation of description of the service organization’s system and on the suitability of the design of the controls would be for a full period, as opposed to a specified date. (i.e. Your report would be for the 6 months covering July 2010 through December 2010.)

  • The Type II report would identify the customers to whom use of the report is restricted as “customers of the service organization’s system during some or all of the period covered by the service auditor’s report”

2) Evidence obtained in prior engagements related to the satisfactory operation of controls in prior periods will not be sufficient to reduce the amount of testing performed.

Expected Change Which Didn’t Occur:

While it was expected that SSAE 16 would build upon the previous SAS 70 standard of reporting only on financial reporting activities and allow a service organization to branch out in to other areas of their business, such as regulatory compliance and performance metrics, this was not included within the initial final version of the New Standard and there has been no guidance as to when it would be expected, if ever, to be.

The Previously Expected Change Which Didn’t Occur, Now Has with SSAE-18!

The long awaited update that was needed, but, left unaddressed the during the last update has now been addressed, allowing a service organization to branch out into other areas of their business. This allows coverage of regulatory compliance, performance metrics, and any other set of agreed-upon procedures with definable metrics.

This is a very welcomed enhancement to the standard and service organizations should contact a service provider today to learn more about how SSAE-18 can benefit them.

SSAE-18 reports will be effective for reports issued after May 1, 2017.

SSAE 18 (SSAE 16) Preparation Tips

This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins.

What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right.
What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately.

Many times people try to speed this process up and slack on it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs.

Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report.
We have seen issues like this cause delays in issuing of the report to the client and running additional fees, since adjusting controls isn’t free. Coming from the perspective of the auditor, we can let you know the pitfalls, consequences and how to best navigate the audit process. If you have any comments or questions please leave them below!

SSAE 16 Terminology – Criteria

Criteria, as defined by the SSAE 18 (formerly SSAE 16) guidance are:

The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.

There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.

This definition and information is consistent in SSAE-18.