FAQs

  1. Will a project leader be assigned to coordinate key deliverables and manage to milestone dates?
  2. Describe the level of involvement in drafting the control narrative and control descriptions. Will controls be identified by and validated by SSAE 16 Professionals, or do you anticipate defining the controls subsequent to engaging in a discovery process?
  3. Please provide a definition for what constitutes a control.
  4. Describe in detail the methodology to test the controls.
  5. Indicate what would constitute a reported exception during the control testing process.
  6. Describe what constitutes a User Control Consideration.
  7. Describe billing considerations and cycles.
  8. Describe the billing methods in the event that the project exceeded the time and/or effort agreed upon in the executed agreement.
  9. Please indicate those actions/communications, etc. that would be included as part of the overall billing.
  10. Please provide a sample agreement or contract that you utilize for your SSAE 16 Type II services.
  11. What is the preferred method and frequency for discussing the project status, including key deliverables, gaps, and open questions?
  12. What are the major differences between SAS 70 and SSAE 16?
  13. Will SSAE 16 completely replace SAS 70?
  14. How similar are SSAE 16 and ISAE 3402?
  15. What is a service organization’s “system”?
  16. What is the “written assertion” by management?
  17. Do you perform ISAE 3402 Type I and Type II Reports?
  18. What is the difference between a Type I and Type II Audit?
  19. What are the 5 Sections which make up the SSAE 16 and SOC 2 reports?
  20. What are “restricted use” reports?

01. Will a project leader be assigned to coordinate key deliverables and manage to milestone dates?

Yes, your team will consist of experienced SSAE 16 personnel – who will run status meetings, review all fieldwork, perform billings, and prepare the SSAE 16 reports.

Back to Top


02. Describe the level of involvement in drafting the control narrative and control descriptions. Will controls be identified by, and validated by, SSAE 16 Professionals, or do you anticipate defining the controls subsequent to engaging in a discovery process?

SSAE 16 Professionals will work with your management team to advise on the creation of narratives and controls. Specifically, we will advise management on the selection/ customization of controls most applicable to you and your customers based on the services you are providing your customers. In summary, we will work with you to understand your business and review the documented report.

Back to Top


03. Please provide a definition for what constitutes a control.

A control is a process designed to help an organization accomplish specific goals/objectives, mitigate risks/fraud, and protect resources. SSAE 16 reviews are very customizable; therefore, you are allowed to disclose your control objectives and activities in any way you see fit that would give you the best coverage for the users of the report.

Back to Top


04. Describe in detail the methodology to test the controls.

SSAE 16 Professionals utilizes corroboration (speaking with two or more individuals) along with one or more of the following methods to test all controls:

  • Observation
  • Obtaining/Reviewing Documentation
  • Re-Performance
  • Automated Scanning Tools (for security related controls)

Back to Top


05. Indicate what would constitute a reported exception during the control testing process.

SSAE 16 Professionals usually identifies exceptions for individual control activities, but often the overall control objectives along with the overall opinion letter are typically not affected (depending on the number and severity of findings at the activity level).

Regardless, you will have no surprise exceptions as all findings are discussed real-time as they’re identified as well as during weekly status meetings. This allows you to remediate the issues – which SSAE 16 Professionals notes in the final report (i.e. – “a finding was identified but since corrected/fixed during the coverage period”).

Additionally, our sample size guidance usually gives you 2 chances to pass most tests performed during our fieldwork (see below). For example, if we choose 23 samples and one fails, we will pull another 12. If one fails from the additional 12 we will pull another 10 to see if it passes.

Population * Sample size Minimum sample size – one deviation Minimum sample size – two deviations
0 – 100 10% of Population N/A N/A
101 – 500 23 35 45
> 500 25 40 60
* Number of control occurrences during the examination period

Back to Top


06. Describe what constitutes a User Control Consideration.

SSAE 16 Professionals will advise you in developing a list of Client/User Control Considerations – which are controls that are the responsibility of your customers in addition to the controls listed & tested in the your report.

Specifically, “The operation controls put in place by you have been designed with the assumption that client organizations will implement certain complementary internal control policies and procedures. In addition to reviewing and understanding your controls (described in the your SSAE 16 report), client management should review the CLIENT/USER CONTROL CONSIDERATIONS identified by you and confirm that the controls are functioning effectively”.

Back to Top


07. Describe billing considerations and cycles.

Time and expenses are tracked in detail. All billings will be performed directly by your client service SSAE 16 team. Our invoices are extremely detailed – including hours by person and out-of-pocket expenses. We don’t just list hours, expenses, etc as one line item along with a total fee. Rather, we break it down on your invoice into detail by person, date, type of expense, charge, etc. There will be full transparency at all times.

Back to Top


08. Describe the billing methods in the event that the project exceeded the time and/or effort agreed upon in the executed agreement.

There will be no surprise fees and any potential change orders (i.e. – if you decide to add more locations and scope to the report) will be discussed with management before proceeding.

If the scope and locations remain constant and SSAE 16 Professionals exceeds the time and/or effort planned, we will eat/write off the additional time. Your fee as agreed to in the engagement letter is the total cost for professional services you will pay regardless of how much longer the SSAE 16 process takes. We would rather absorb this cost in hope of establishing a long-term SSAE 16 relationship with you.

Back to Top


09. Please indicate those actions/communications, etc. that would be included as part of the overall billing.

Invoices will be sent monthly only during months when fieldwork are performed. Most often, you would receive 3 total invoices.

  • End of Phase I (Readiness Review)
  • End of Phase II (Type I or Type II SSAE 16 Fieldwork)
  • End of Phase III (Report Processing) along with delivery of final reports

Back to Top


10. Please provide a sample agreement or contract that you utilize for your SSAE 16 Type II services.

If you decide to move forward with SSAE 16 Professionals, we will create a formal/customized engagement letter promptly. The engagement letter will be broken down into the following sections:

  • Scope of Services
  • Management Responsibilities
  • Use and Distribution of Our Report
  • Fees/Billings
  • Authorization
  • Attachment A – Additional Terms

Back to Top


11. What is the preferred method and frequency for discussing the project status, including key deliverables, gaps, and open questions?

As issues are identified, we will bring them up immediately (to give you the opportunity to correct/fix them prior to the end of the coverage period). Our SSAE 16 team will also conduct weekly status meetings (onsite or conf call) with management. Additionally, a formal meeting will take place at the end of our fieldwork to discuss all findings still in place prior to our report preparation phase. We will work with management to agree on which findings are “informational only” and which should go in the report (along with management responses). That way, there will be no surprises once you receive the first draft of the SSAE 16 report.

Back to Top


12. What are the major differences between SAS 70 and SSAE 16?

SAS 70 differs from SSAE 16 in a number of areas; the most fundamentally important aspect being that SSAE 16 is an “attestation” standard, while SAS 70 is an “auditing” standard. The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) felt that examining a service organization’s “system” and their controls is not considered an audit of financial statements, thus it should not be categorized as that.

Additionally, the ISAE 3402 standard, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is an “assurance” standard, which is essentially equivalent to the SSAE 16 “attestation” standard.

 

As for reporting requirements for service organizations, SSAE 16 requires a description of one’s “system” along with a written assertion by management, whereas SAS 70 requires a description of “controls” and no written assertion. The key difference between the SSAE 16 description of its “system” and the SAS 70 auditing standard’s description of “controls” is that many organizations may find themselves having to revise their prior descriptions to meet the new requirements for SSAE 16 reporting.

Generally, most practitioners seem to agree that the SSAE 16 requirements for a description of its “system” are considered more comprehensive and expansive than the SAS 70 auditing standards description of “controls”.

Back to Top


13. Will SSAE 16 completely replace SAS 70?

Yes. Statement on Standards for Attestation Engagements (SSAE) No. 16 is effectively replacing the long-standing Statement on Auditing Standards No. 70 (SAS 70). SSAE 16 becomes effective for reporting periods that end on or after June 15, 2011. Additionally, SSAE 16 is an “attestation” standard, whereas SAS 70, introduced in 1992, was that of an “auditing” standard. It’s also important to note that service organizations under SSAE 16 have new reporting requirements, the two most notable being the following:

1) Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:

  • The fairness of the presentation of the description of the service organization’s system;
  • The suitability of the design of the controls to achieve the related control objectives stated in the description; and
  • The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)

2) During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Under SAS 70, service organizations provided a description of one’s “controls” and were not required to provide a written assertion by management. Because of these new reporting requirements for SSAE 16, service organizations should consider engaging with a qualified CPA firm in providing an SSAE 16 Readiness Assessment; a useful and proactive engagement for helping service organizations clearly understand all critical aspects of the SSAE 16 attestation standard.

Along with the introduction of SSAE 16, which is a U.S. standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), comes ISAE 3402, the global standard for assurance reporting on controls at service organizations.

SSAE 16, ISAE 3402, and other country and region specific standards will effectively become the dominant players for third party reporting on controls at service organizations.

Back to Top


14. How similar are SSAE 16 and ISAE 3402?

SSAE 16 and ISAE 3402 share a common framework that is a direct result of a convergence of accounting standards between the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and global standard setting framework advocated by The International Federation of Accountants (IFAC) and other relevant parties. In short, both SSAE 16 and ISAE 3402 represent the migration towards global accounting standards and have a framework which is highly similar.

That’s not to say they are identical, because they are not, but their differences essentially relate to technical reference used by service auditors and other minor issues, such as restricting the use of Service Auditor’s Report, what constitutes “complete” documentation, and engagement acceptance criteria.

Additionally, SSAE 16 is known as an “attestation” standard, while ISAE 3402 is an “assurance” standard, and though technically different, they both require management to provide a description of its “system” and a written statement of assertion.

In summary, SSAE 16 and ISAE 3402 are highly similar, sharing a common framework for reporting on controls at service organizations. It is too early to tell which of these two standards (or any remaining country | region specific standards) will take root and become widely used, much like that of SAS 70, the standard-bearer for over 18 years.

Back to Top


15. What is a service organization’s “system”?

SSAE 16 requires service organization’s to provide a description of its “system”. There are many ways to describe what a “system” is, thus it’s best to define it as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities.

In short, a service organization will need to provide a description that adequately identifies and illustrates all critical and material services being provided, the procedures used, from beginning to end, for the transactions, along with how the system captures and also addresses significant events and conditions.

A description of its “system” for purposes of the SSAE 16 standard will also need to include the control objectives, related controls and user control considerations along with the service organizations elements of internal control, which may be based on the COSO framework.

It’s interesting to note that while the SAS 70 auditing standard called for a description of “controls”, SSAE 16 requires service organizations to provide a description of its “system”. Thus, some service organizations may find themselves making significant changes to their previous description of “controls” for ensuring they meet the new requirements for SSAE 16.

So, what essentially is the key difference between the SAS 70 description of “controls” vs. the SSAE 16 description of its “system”? Many practitioners (i.e., service auditors) feel that the SSAE 16 description of its “system” is looked upon as a more comprehensive and expansive illustration of services being performed by the actual service organization than that of the previous SAS 70 requirement for the description of its “controls”.

Back to Top


16. What is the “written assertion” by management?

The written assertion by management for SSAE 16 essentially contains a number of provisions for which management of the service organization must “assert” to, such as the following:

  • That the description of the service organization’s “system” fairly presents the service organization’s system that was designed and implemented at either a specific date, which is for an SSAE 16 Type 1 report, or implemented throughout a specified time period, which is for an SSAE 16 Type 2 report.
  • That the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date, which is for an SSAE 16 Type 1 report, or designed throughout a specified time period, which is for an SSAE Type 2 report, to achieve those control objectives along with having them operate effectively throughout the specified time period.

Back to Top


17. Do you perform ISAE 3402 Type I and Type II Reports

ISAE 3402, The International Standard on Assurance Engagements, was put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board within the International Federation of Accountants (IFAC). ISAE 3402 essentially becomes the new globally recognized standard for assurance reporting on service organizations. As a result of the issuance of ISAE 3402, auditors now have the ability to use a globally accepted framework, whereas in the past, Statement on Auditing Standards No. 70 (SAS 70) was the de facto standard that was largely used. ISAE 3402, much like that of the U.S. SSAE 16 standard, requires management to provide a description of its “system” along with proving a written statement of assertion by management.

And much like the SSAE 16 standard, ISAE 3402 reporting will result in the issuance of Type 1 or a Type 2 report by a service auditor. An ISAE 3402 Readiness Assessment should be undertaken for ensuring service organizations are aware of the changes necessary for complying with the ISAE 3402 standard.

Back to Top


18. What is the difference between a Type I and Type II Audit?

  • A Type I audit is an audit as of a specified “POINT IN TIME”. Think of a picture (snapshot in time)
  •  A Type II audit is an audit over a “PERIOD OF TIME”. Think of a movie (period of time)

Back to Top


19. What are the 5 Sections which make up the SSAE 16 and SOC 2 reports?

Section 1)  Service auditor’s opinion

Section 2)  Management’s assertion letter

Section 3)  A description of the service organization’s system

Section 4)  A Service auditor’s tests of controls and results of tests

Section 5)  Other supplemental information not covered in other sections

Back to Top


20. What are “restricted use” reports?

SOC 1 reports are restricted use reports, which mean use of the reports is restricted to:

  • Management of the service organization (the company who has the SOC 1 performed);
  • User entities of the service organization (service organization’s clients); and
  • The user entities’ financial auditors (user auditor). The report can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes-Oxley Act. A SOC 1 enables the user auditor to perform risk assessment procedures, and if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.

Back to Top