Get A Fixed Fee Quote Today Request a Free Quote

  • Home
  • Glossary
  • Control Environment | The Importance on the Description of a System for SSAE 16 | ssae16.org

Control Environment | The Importance on the Description of a System for SSAE 16 | ssae16.org

The control environment is the foundation for all other components of internal control (control activities, risk assessment, information and communication, monitoring) and helps to provide the necessary structure and discipline, effectively helping to establish the "tone at the top" within an organization-a common phrase used to discuss a critical component of one's control environment.

Some examples of the expression of one's control environment for SSAE 16 Type 1 and Type 2 reporting within an organization would include the following:

  • The overall philosophy, ideology, beliefs and operating style of management.
  • The structure of the organization, key personnel and their applicable roles, responsibilities, and duties.
  • Management's attitude, concern, and overall ability to provide sufficient resources for all organizational issues as needed.

This is just a small sample of understanding what the term "control environment" actually encompasses.  For a more detailed explanation, there are numerous resources available on the internet, such as the COSO website, the American Institute of Certified Public Accountants (AICPA) bookstore (www.cpa2biz.com), just to name a select few.

What's vitally important to also understand about the concept of one's control environment for purposes of SSAE 16 compliance is that the service organization's description of its "system" calls for the illustration of "other aspects of our control environment, risk assessment process, information and communication systems, control activities and monitoring....".  Thus, as a service organization, you'll need to give a detailed description of your control environment and along with the other supporting components of your internal control, which again, are the following:

  • Control Activities
  • Risk Assessment
  • Information and Communication
  • Monitoring

A highly-qualified IR CPA firm can assist in helping to develop one's description of their control environment for purposes of SSAE 16 compliance.

Lastly, your organization may also benefit from an SSAE 16 Readiness Assessment, which would also help in better understanding the requirements for developing a description of the "system".

Since 2006, NDNB has been setting the standard for security & compliance regulations