What’s the purpose of an SSAE 16 audit and should I pursue one? If you’re new to the world of information security audits, check out this comprehensive guide on the history of SSAE 16, why it replaced the SAS 70, and how becoming SSAE 16 compliant could benefit your business.

SSAE 16: The Past and the PresentOutsourcing critical business functions, such as IT or HR, is a common practice among many businesses, today. While outsourcing is a great way to cut operational costs and acquire resources that aren’t available internally, it doesn’t come without its risks. It is especially crucial to consider how outsourcing functions to service organizations could impact your internal control over financial reporting (ICFR).

In accordance with Sarbanes-Oxley (SOX), publicly traded companies are responsible for maintaining an effective system of internal control over financial reporting (ICFR). Such emphasis on governance and risk management when it comes to reporting on controls at a service organization, is the reason many organizations have chosen to require their vendors, who may have an impact on their ICFR, to obtain an SSAE 16 (SOC 1) Attestation Report.

What is SAS 70?

SAS 70 is the Statement on Auditing Standards No. 70, an older auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It provides standards for reporting on controls and processes at service organizations, but, unlike later standards, did not require auditors to obtain a written assertion concerning the design and effectiveness of controls. SAS 70 was superseded by SSAE 16 in 2011, and more recently, by SSAE 18.

What is SSAE 16?

SSAE 16 is the Statements on Standards for Attestation Engagements no. 16. It provides a set of standards and guidance for attestation reporting on organizational controls and processes at service organizations. Audits using SSAE 16 generally result in System and Organizational Control (SOC 1) reports. Unlike earlier standards, SSAE 16 requires a written attestation from a service company’s management, stating that its description accurately represents organizational systems, control objectives, and operational activities that affect customers. SSAE 16 was superseded by SSAE 18 in 2017.

What is SSAE 18?

SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 and is intended to update and simplify previous standards. Like SSAE 16, SSAE 18 is used in SOC 1 reports, but also in SOC 2 and SOC 3 reports, which were previously conducted under AT 101. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors. SSAE 18 is the current standard that SOC 1 audits use.

Out with the Old: Replacing the SAS 70

To make a long story short, CPAs in the past were using the SAS 70 to report on things other than financial reports, however, the SAS 70 was never intended to do so. By introducing a new attestation standard to assess service organizations, the AICPA developed improved assurance by replacing the SAS 70 with the Statement on Standards for Attestation Engagement No. 16, or SSAE 16.

Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization.

SSAE 16 vs. SAS 70: What are the Differences?

SAS 70, Cruising with The Auditing Standard

What’s the difference between SSAE 16 and SAS 70? One of the key differences between the SAS 70 and the SSAE 16 is that the SAS 70 is an “auditing” standard, whereas the SSAE 16 is an “attestation”. When the AICPA made the decision to replace the SAS 70, they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements.

SSAE 16, Going Deeper with Attestation

The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. The SAS 70, however, lacked the level of detail that the SSAE 16 offers. The SAS 70 simply provided a description of controls and did not include any type of management assertion.

New and Improved: The SSAE 16 Audit Report

The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report.

As mentioned before, the purpose of an SSAE 16 report is to report on the controls at a service organization that may have an impact on their clients’ financial reporting.

If you’re an organization who provides hosting services, data management services, etc. to a publicly traded company, it is likely you have been requested to pursue an SSAE 16 audit, and if not, you probably will at some point. An SSAE 16 report allows organizations to assess the risks associated with doing business with particular service providers.

Components of an SSAE 16 Audit Report

There are not set controls for an SSAE 16, as each is unique to the service organization and the type of business they are doing. However, there are common criteria and common control objectives that typically make up the components of an SSAE 16 or SOC 1 report. This includes the independent service auditor’s report, management’s written assertion, a description of the system, control objectives and the testing of operating effectiveness of the controls.

Type I vs Type II Reports

There are two basic types of SSAE 16 reports, type I and type II. SSAE 18 SOC 1 reports concern the accuracy of a service company’s description of its controls and systems, and their effectiveness in achieving control objectives. They are similar in many ways, but the key difference is the period of time covered by the report. 

  • SSAE 1 Type I reports are “point in time” reports; they report on systems and controls at a specified date.
  • SSAE 1 Type II reports, in contrast, report on the suitability of controls over a period of time of no less than six months.

It is often recommended that service organizations begin with an SSAE 16 Type I report, and then move to an SSAE 16 Type II report to demonstrate the maturing of their environment.

Learn more about Type 1 and Type 2 reports in What is the Difference Between SOC 1 Type I and SOC 1 Type II?]

Benefits of Pursuing an SSAE 16 Audit Report

There are several benefits associated with obtaining an SSAE 16 audit report. First, it is a great way to demonstrate your commitment to delivering high quality services to your clients. It is also an important step in gaining the client trust you need to develop and grow your business. By engaging a third-party auditing firm to conduct an SSAE 16 audit engagement, you will not only satisfy current client demands, but gain a competitive advantage and have the opportunity to win new business.

The evolution of the reporting on controls at a service organization has inevitably brought more assurance and opportunity to the marketplace. The SSAE 16 audit report is a great way for organizations to demonstrate that they have the proper internal controls in place to protect client data. If you have any questions regarding obtaining an SSAE 16 audit report, whether it is the appropriate engagement for your organization, or how to prepare for your SSAE 16 audit, contact us today.

If your customers rely on you to protect consumer information, chances are you may be asked to produce an SSAE 16 audit report. An SSAE 16 audit is a reporting on the controls at an organization that are relevant to, or may affect a client’s financial statements. This standard is designed to demonstrate that an organization has proper internal controls and processes in place to address information security and compliance risks. It’s not uncommon to have a million questions the first time you decide to engage in an SSAE 16 (SOC 1) audit. Where do we start? What does this entail? Will we fail? Here are 10 things you can do to begin preparing for your SSAE 16 audit.

1. Risk Assessment

If you look at any compliance or information security framework, audit, or standard, they all require a risk assessment. That being said, performing a formal risk assessment is the best starting point in preparing for your upcoming SSAE 16 audit. A risk assessment helps you understand what you’re doing as an organization and can help identify any risks in your environment. Based on your assessment, the implementation of controls should be reasonable and feasible. A written, formal risk assessment should be performed by a cross-section of departments and employees.

2. Evaluate Client Requirements

Who are you serving as a market? Are you providing services to retail organizations? Healthcare organizations? Federal government? Financial services organizations? Based on your answers, that will determine the laws and regulations that apply to you and how you deliver your services. What do your clients expect from you? What does your contract say you’re providing? As a service provider, your audit’s scope is shaped by your service delivery methods and client requirements should be evaluated in order to understand what is expected and reasonable. Don’t forget to evaluate contracts and service packages to ensure that expectations have been properly documented.

3. Regulatory Implications

In order to prepare for your SSAE 16 audit, you must determine what your regulatory responsibilities are based on your locale and the customers you service. For example, if you’re serving the healthcare market, you’ll be responsible to comply with relevant sections of the HIPAA/HITECH Act. If you’re serving the financial marketing, then GLBA is relevant. If you’re serving publicly traded companies, SOX is relevant. If you’re serving the Federal government, you must comply with FISMA. Taking into consideration each regulatory framework that applies to you will help determine what’s important to consider when preparing for your SSAE 16 audit.

4. Service Delivery Controls

Possibly one of the biggest risks that businesses may overlook (since it’s not a security breach) are operational risks. As auditors, we look for things that deal with operational efficiency, catching errors, and quality assurance. These are all important factors that will help make up a set of service delivery controls. What controls do you have set up along the service delivery process? A helpful way to manage service delivery controls is by creating a data flow diagram of the life-cycle of your service delivery model. Take us step-by-step through the entire process.

5. Written Policies & Procedures

This isn’t the first time you’ve heard us say this, and it won’t be the last. The most important thing to remember when developing policies and procedures to prepare for any audit is “if it’s not written down, it didn’t happen.” Having a formally written and fully documented set of policies and procedures is paramount for an SSAE 16 audit because these are what we audit against. If your policy says you do X, Y, Z, we will perform a test against that policy to verify that you do, in fact do X, Y, Z. Having a formal set of written policies and procedures also helps guide employees on company expectations and consequences and provide guidance on the proper execution of service delivery. Policies and procedures should be fully endorsed by senior management, and updated by the authorized individual at least annually.

6. Training

When trying to prepare for your SSAE 16 audit, policies and procedures and training often can go hand in hand. It’s essential that employees receive job-specific training to ensure full compliance with all company policies and procedures. Did all employees attend? Did all employees comprehend? Is there some kind of acknowledgement form that was signed saying they have been presented with and understand what’s expected of them as an employee? Since, for example, HR, IT, and Production are all responsible for different aspects of the business, training should be as job specific as possible. Another type of training that is critical in this current threat-landscape is security awareness training. Employees should be trained annually to keep them vigilant in understanding the types of threats that are out there.

7. Vendor Management

Vendors represent a risk to every organization. Your vendor requirements for each vendor may vary based on the risk that vendor poses to your organization. For example, a VPN-connected vendor introduces different risks than a cleaning service. As far as managing your vendors, on-boarding and off-boarding procedures are just as critical for vendors as they are for employees. What are you going to require for the on-boarding process? A Signed non-disclosure? Ask to verify that they perform a background check on employees? Verify that they are in compliance with any relevant information security and regulatory compliance requirements? Effective policies, training, and monitoring can greatly reduce your vendor risk. Be sure to include the right-to-audit clause in your contract.

8. Physical Controls

Your physical controls talk about restricting access to your physical environment. These controls cover things like controlling how someone comes in and out of your facility, tracking visitors, and keeping a log. Access controls can generate logs to verify access granted and denied. Video footage can be helpful after an incident to determine the impact. Visitor procedures are important for documenting historical events. Are there additional checkpoints or limited access once inside? Sensitive areas should be controlled to restrict access on a strictly business-justified basis. Assessing your physical controls is important when you prepare for an SSAE 16 audit.

9. Security Controls

When we talk about controls that affect “security”, we are talking about CIA: Confidentiality, Integrity, and Availability. If an important document containing sensitive information is stolen, then the confidentiality of that document has been compromised. If you’re storing an important hardcopy document that has gotten wet and is now unreadable, then the integrity of that document has been compromised. If something has gone missing, like an important filing cabinet full of sensitive documents, but hasn’t been taken by an unauthorized person, then the availability of those documents inside the filing cabinet has been compromised. Placing Administrative, Technical, and Physical controls in place can help you address each of those areas of security.

10. Availability Controls

Availability controls include things such as Business Continuity and Disaster Recovery Plans. These are critical for maintaining availability to your customers. Other availability controls to consider when preparing for an SSAE 16 audit are data backups, network monitoring, and cross-training employees.

Companies are looking to do business with vendors who understand these issues. Being proactive about undergoing your SSAE 16 audit can mean the difference in winning your next big deal and earning the trust and respect of the clients you serve.

KirkpatrickPrice strives to be your partner. Engaging in an SSAE 16 Audit doesn’t have to be a scary thing and we are here to offer help every step of the way with recommendations and resources to help strengthen your environment. If you’re ready to get some help, contact us today.