Service organizations that are new to third-party reporting on controls or who are migrating from the SAS 70 standard to SSAE 16 should follow a comprehensive roadmap for ensuring compliance in an efficient, seamless, and cost-effective manner. Without a workable roadmap and timeline, the transition to SSAE 16 compliance can seem daunting indeed.
NDB Accountants & Consultants has prepared the following SSAE 16 Roadmap to compliance- a series of essential steps to be taken for helping your organization meets the demands of the new attestation standard.
Learn about the SSAE 16 standard
SSAE 16 brings out new reporting requirements for service organizations, and as such, these very service organizations need to gain a strong technical understanding of the following essential material:
- The service organization's description its "system"
- The written assertion by management
- The internal audit function
- Subservice organization reporting
The above subject matter is explained in great detail at the SSAE 16 Resource Guide and can also be discussed in a more in-depth manner with a qualified PCAOB CPA firm, if needed.
Hire a Qualified PCAOB CPA Firm for SSAE 16 Reporting
Choose a CPA firm that specializes in regulatory compliance reporting and one that has formidable experience with the SAS 70 auditing standard, along with a strong technical understanding of the SSAE 16 standard and the international equivalent ISAE 3402 standard. A competent CPA firm will help you in the following manner:
- Provide you with a fixed fee for the SSAE 16 engagement.
- Provide guidance in helping you produce both the description of your "system" along with the written assertion by management.
- Provide, as needed, various policies, procedures, and other templates to help remediate any weaknesses within your control environment.
Conduct a SSAE 16 Readiness Assessment
An SSAE 16 Readiness Assessment should be considered a "must have" for any service organization, regardless if you are new to the regulatory compliance arena or if you are simply migrating from the SAS 70 auditing standard. In short, an SSAE 16 Readiness Assessment is a proactive and useful engagement for helping to better plan and execute the overall audit. An SSAE 16 Readiness Assessment should encompass the following:
- Understanding the reporting requirements for SSAE 16.
- Developing and agreeing on the scope of an SSAE 16 engagement, such as control objectives to include, business process controls, physical locations for fieldwork, duration of the test period (if an SSAE 16 Type 2 engagement is being performed), etc.
- Providing to the service organization a series of SSAE 16 Readiness Questionnaires.
- Developing a gap analysis, identifying areas that may require remediation before beginning the audit.
- Identifying and discussing, if applicable, the role of the internal audit function within the service organization.
- Providing guidance and direction to the service organization regarding developing the escription of its "system" and the written assertion by management-two fundamentally important components of the SSAE 16 standard.
If, during the course of the SSAE 16 Readiness Assessment, gaps were found that require remediation, it's then imperative that this is conducted before moving forward with the actual audit itself. The remediation period can and will vary from one service organization to another, and many times is the result of having inadequate policies, procedures and other documented processes in place. Other times, it may require putting in place a number of controls or other measures for ensuring the intent and the rigor of the actual control to be tested is effectively met.
Other Essential Steps
Once you have completed remediation, the audit should effectively commence, which may begin with any number of steps, depending on the firm you work with and the course of action that has been outlined during the SSAE 16 Readiness Assessment phase. Generally speaking, the following measures will need to be undertaken for an SSAE 16 engagement:
- Scheduling fieldwork and identifying personnel.
- Developing a comprehensive list of items to be obtained and inspected during fieldwork.
- Confirming that management of the service organization has produced a description of its system and is also developing a written assertion also.
- Authoring the final SSAE 16 Type 1 or Type 2 report, noting any exceptions, while also providing the service organization with general post-audit comments, suggestions, and other feedback, which is generally known as "management comments".
- Having all relevant parties of the SSAE 16 audit participate in a formal closing meeting.
Receive a competitive, fixed-fixed fee for SSAE 16 today. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.