SSAE 16 preparation, when done correctly, is an extremely proactive and beneficial process for helping service organization in planning, preparing executing, and successfully completing a SOC 1 SSAE 16 engagement. Many entities are new to the entire SOC 1 SSAE 16 reporting landscape, requiring direction and guidance on a number of important issues, such as finding an auditor, conducting a readiness assessment, identifying gaps and weaknesses, just to name a few notable items. With that said, take note of the following brief SSAE 16 audit preparation list of items compiled by NDB Accountants & Consultants, a nationally recognized PCAOB CPA Firm specializing in SOC 1 SSAE 16 and SOC 2, SOC 3 AT 101 SysTrust | WebTrust reporting:
Begin with an SSAE 16 Readiness Assessment - This process alone is one of the most fundamentally important steps an organization can take, thus look at it as a useful and proactive undertaking for ensuring you’re actually ready for a SOC 1 SSAE 16 Type 1 or Type 2 assessment. An SSAE 16 Readiness Assessment – when conducted properly – should provide valuable information regarding audit scope, (i.e., systems being tested, physical locations to visit, the number of control objectives, etc.), remediation items (i.e., areas of deficiency, from an operational and technical perspective, such as policies and procedures, etc.), audit sampling and deliverables expected for the CPA firm conducting the engagement, and more. Moreover, if your organization is to completely new to the SOC 1 SSAE 16 process, then a Readiness Assessment is a must. High-quality CPA firms – those with years of regulatory compliance reporting – often include the cost of an SSAE 16 Readiness Assessment into their overall fixed-fee pricing model, so be sure to inquire about such services.
Remediate Technical Constraints – Real SSAE 16 audit preparation means finding areas of remediation, along with actually following through with remediation efforts themselves, such as re-configuring system parameters for one’s SSAE 16 control objectives and related tests. Because most SOC 1 SSAE 16 assessments focus on what’s known as “general Information Technology (I.T.) controls, remediation efforts are commonly seen in provisioning and hardening computer systems, such as removing default settings, insecure services, etc. Remember, auditors will want to see evidence of one’s remediation efforts for technical issues, so roll up those sleeves and get to work. It can be challenging, but it’s necessary, not only for SSAE 16 compliance, but many other mandates, such as PCI, HIPAA, etc.
Remediate Operational Areas – SSAE 16 audit preparation also entails remediation that’s not just technical in nature - it also requires comprehensive measure for correcting many operational deficiencies, such as policies and procedures, along with strengthening best practices as necessary. Perhaps one of the most challenging areas is just that - policies and procedures - as businesses often fail to take the time in updating critical operational and information security documentation, but it must be done. SSAE 16 auditor request a laundry list of deliverables during the audit process, with operational and information security policies and procedures at the very top of the list. Trust us, we’re a nationally recognized PCAOB CPA firm, and we always ask for policies and procedures for SSAE 16 Type 1 and Type 2 assessments.
Work With Your Auditors – Remember something very important - your SSAE 16 auditor is there to help assist and facilitate compliance, not be an adversarial roadblock in the overall process. Though they still have to be “independent” in judgment and objective in their findings, they still have a vested interest in issuing a “clean” SSAE 16 opinion. This means being upfront, open, and transparent at all times with the entire audit process, no matter what the issue is. The more proactive and open you are, the less likely confrontations, constraints, and issues will arise. Talk about audit scope, remediation, testing concerns - whatever’s relevant to the SSAE 16 assessment - and work it out. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
Call Christopher Nickell, CPA, today at 1-800-277-5415, ext. 706 to receive a competitive, fixed fee for all your SOC 1 SSAE 16, SOC 2 AT 101, and SOC 3 SysTrust | WebTrust needs. NDB Also provides PCI DSS reporting (onsite audits), and numerous other compliance services.