Yes, your team will consist of experienced SSAE 16 personnel – who will run status meetings, review all fieldwork, perform billings, and prepare the SSAE 16 reports.
SSAE 16 Professionals will work with your management team to advise on the creation of narratives and controls. Specifically, we will advise management on the selection/ customization of controls most applicable to you and your customers based on the services you are providing your customers. In summary, we will work with you to understand your business and review the documented report.
A control is a process designed to help an organization accomplish specific goals/objectives, mitigate risks/fraud, and protect resources. SSAE 16 reviews are very customizable; therefore, you are allowed to disclose your control objectives and activities in any way you see fit that would give you the best coverage for the users of the report.
SSAE 16 Professionals utilizes corroboration (speaking with two or more individuals) along with one or more of the following methods to test all controls:
SSAE 16 Professionals usually identifies exceptions for individual control activities, but often the overall control objectives along with the overall opinion letter are typically not affected (depending on the number and severity of findings at the activity level).
Regardless, you will have no surprise exceptions as all findings are discussed real-time as they’re identified as well as during weekly status meetings. This allows you to remediate the issues – which SSAE 16 Professionals notes in the final report (i.e. – “a finding was identified but since corrected/fixed during the coverage period”).
Additionally, our sample size guidance usually gives you 2 chances to pass most tests performed during our fieldwork (see below). For example, if we choose 23 samples and one fails, we will pull another 12. If one fails from the additional 12 we will pull another 10 to see if it passes.
|Population *||Sample size||Minimum sample size – one deviation||Minimum sample size – two deviations|
|0 – 100||10% of Population||N/A||N/A|
|101 – 500||23||35||45|
|* Number of control occurrences during the examination period|
SSAE 16 Professionals will advise you in developing a list of Client/User Control Considerations – which are controls that are the responsibility of your customers in addition to the controls listed & tested in the your report.
Specifically, “The operation controls put in place by you have been designed with the assumption that client organizations will implement certain complementary internal control policies and procedures. In addition to reviewing and understanding your controls (described in the your SSAE 16 report), client management should review the CLIENT/USER CONTROL CONSIDERATIONS identified by you and confirm that the controls are functioning effectively”.
Time and expenses are tracked in detail. All billings will be performed directly by your client service SSAE 16 team. Our invoices are extremely detailed – including hours by person and out-of-pocket expenses. We don’t just list hours, expenses, etc as one line item along with a total fee. Rather, we break it down on your invoice into detail by person, date, type of expense, charge, etc. There will be full transparency at all times.
There will be no surprise fees and any potential change orders (i.e. – if you decide to add more locations and scope to the report) will be discussed with management before proceeding.
If the scope and locations remain constant and SSAE 16 Professionals exceeds the time and/or effort planned, we will eat/write off the additional time. Your fee as agreed to in the engagement letter is the total cost for professional services you will pay regardless of how much longer the SSAE 16 process takes. We would rather absorb this cost in hope of establishing a long-term SSAE 16 relationship with you.
Invoices will be sent monthly only during months when fieldwork are performed. Most often, you would receive 3 total invoices.
If you decide to move forward with SSAE 16 Professionals, we will create a formal/customized engagement letter promptly. The engagement letter will be broken down into the following sections:
As issues are identified, we will bring them up immediately (to give you the opportunity to correct/fix them prior to the end of the coverage period). Our SSAE 16 team will also conduct weekly status meetings (onsite or conf call) with management. Additionally, a formal meeting will take place at the end of our fieldwork to discuss all findings still in place prior to our report preparation phase. We will work with management to agree on which findings are “informational only” and which should go in the report (along with management responses). That way, there will be no surprises once you receive the first draft of the SSAE 16 report.
SAS 70 differs from SSAE 16 in a number of areas; the most fundamentally important aspect being that SSAE 16 is an “attestation” standard, while SAS 70 is an “auditing” standard. The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) felt that examining a service organization’s “system” and their controls is not considered an audit of financial statements, thus it should not be categorized as that.
Additionally, the ISAE 3402 standard, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is an “assurance” standard, which is essentially equivalent to the SSAE 16 “attestation” standard.
As for reporting requirements for service organizations, SSAE 16 requires a description of one’s “system” along with a written assertion by management, whereas SAS 70 requires a description of “controls” and no written assertion. The key difference between the SSAE 16 description of its “system” and the SAS 70 auditing standard’s description of “controls” is that many organizations may find themselves having to revise their prior descriptions to meet the new requirements for SSAE 16 reporting.
Generally, most practitioners seem to agree that the SSAE 16 requirements for a description of its “system” are considered more comprehensive and expansive than the SAS 70 auditing standards description of “controls”.
Yes. Statement on Standards for Attestation Engagements (SSAE) No. 16 is effectively replacing the long-standing Statement on Auditing Standards No. 70 (SAS 70). SSAE 16 becomes effective for reporting periods that end on or after June 15, 2011. Additionally, SSAE 16 is an “attestation” standard, whereas SAS 70, introduced in 1992, was that of an “auditing” standard. It’s also important to note that service organizations under SSAE 16 have new reporting requirements, the two most notable being the following:
1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:
2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.
Under SAS 70, service organizations provided a description of one’s “controls” and were not required to provide a written assertion by management. Because of these new reporting requirements for SSAE 16, service organizations should consider engaging with a qualified CPA firm in providing an SSAE 16 Readiness Assessment; a useful and proactive engagement for helping service organizations clearly understand all critical aspects of the SSAE 16 attestation standard.
Along with the introduction of SSAE 16, which is a U.S. standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), comes ISAE 3402, the global standard for assurance reporting on controls at service organizations.
SSAE 16, ISAE 3402, and other country and region specific standards will effectively become the dominant players for third party reporting on controls at service organizations.
SSAE 16 and ISAE 3402 share a common framework that is a direct result of a convergence of accounting standards between the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and global standard setting framework advocated by The International Federation of Accountants (IFAC) and other relevant parties. In short, both SSAE 16 and ISAE 3402 represent the migration towards global accounting standards and have a framework which is highly similar.
That’s not to say they are identical, because they are not, but their differences essentially relate to technical reference used by service auditors and other minor issues, such as restricting the use of Service Auditor’s Report, what constitutes “complete” documentation, and engagement acceptance criteria.
Additionally, SSAE 16 is known as an “attestation” standard, while ISAE 3402 is an “assurance” standard, and though technically different, they both require management to provide a description of its “system” and a written statement of assertion.
In summary, SSAE 16 and ISAE 3402 are highly similar, sharing a common framework for reporting on controls at service organizations. It is too early to tell which of these two standards (or any remaining country | region specific standards) will take root and become widely used, much like that of SAS 70, the standard-bearer for over 18 years.
SSAE 16 requires service organization’s to provide a description of its “system”. There are many ways to describe what a “system” is, thus it’s best to define it as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities.
In short, a service organization will need to provide a description that adequately identifies and illustrates all critical and material services being provided, the procedures used, from beginning to end, for the transactions, along with how the system captures and also addresses significant events and conditions.
A description of its “system” for purposes of the SSAE 16 standard will also need to include the control objectives, related controls and user control considerations along with the service organizations elements of internal control, which may be based on the COSO framework.
It’s interesting to note that while the SAS 70 auditing standard called for a description of “controls”, SSAE 16 requires service organizations to provide a description of its “system”. Thus, some service organizations may find themselves making significant changes to their previous description of “controls” for ensuring they meet the new requirements for SSAE 16.
So, what essentially is the key difference between the SAS 70 description of “controls” vs. the SSAE 16 description of its “system”? Many practitioners (i.e., service auditors) feel that the SSAE 16 description of its “system” is looked upon as a more comprehensive and expansive illustration of services being performed by the actual service organization than that of the previous SAS 70 requirement for the description of its “controls”.
The written assertion by management for SSAE 16 essentially contains a number of provisions for which management of the service organization must “assert” to, such as the following:
ISAE 3402, The International Standard on Assurance Engagements, was put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board within the International Federation of Accountants (IFAC). ISAE 3402 essentially becomes the new globally recognized standard for assurance reporting on service organizations. As a result of the issuance of ISAE 3402, auditors now have the ability to use a globally accepted framework, whereas in the past, Statement on Auditing Standards No. 70 (SAS 70) was the de facto standard that was largely used. ISAE 3402, much like that of the U.S. SSAE 16 standard, requires management to provide a description of its “system” along with proving a written statement of assertion by management.
And much like the SSAE 16 standard, ISAE 3402 reporting will result in the issuance of Type 1 or a Type 2 report by a service auditor. An ISAE 3402 Readiness Assessment should be undertaken for ensuring service organizations are aware of the changes necessary for complying with the ISAE 3402 standard.
Section 1) Service auditor’s opinion
Section 2) Management’s assertion letter
Section 3) A description of the service organization’s system
Section 4) A Service auditor’s tests of controls and results of tests
Section 5) Other supplemental information not covered in other sections
SOC 1 reports are restricted use reports, which mean use of the reports is restricted to: