SSAE 16 states that if the service organization has an "internal audit function", it is the responsibility of the service auditor to understand the role, responsibilities, and activities of the internal audit for determining its applicability and relevancy for an SSAE 16 engagement.
The "internal audit function" for SSAE 16 can best be described simply as the personnel within a service organization that perform duties of an internal auditor. Common internal audit functions can include ensuring that the service organization’s daily operational activities, safeguards, processes, and procedures are functioning properly, which can be tested and monitored by the internal audit function through a number of procedures.
Additionally, SSAE 16 also allows the internal audit function to include other personnel who perform functions similar to that of internal auditors, with these other personnel being actual service organization employees or even external, third-party entities.
Assessing an Organization's Internal Audit Function - What you Need to Know
With that said, the existence of an internal audit function must first be identified within a service organization, and if one is present, the service auditor will need to determine the adequacy of the internal audit function itself for an SSAE 16 engagement. This would require evaluating the following conditions:
- The objectivity along with the overall competency of the group (technical and professional competency.
- Is due professional care used when the work is being performed by the internal audit function?
- Can the internal audit function of the service organization effectively communicate with the service auditor in a transparent and professional manner for helping facilitate the SSAE 16 engagement?
Additional Points to Note about an Internal Audit Function
If the service auditor can answer yes to these questions and gain an acceptable level of confidence regarding the internal audit function, then the service auditor should then evaluate the following conditions:
- What is the nature and scope of the work to be performed by the actual internal audit function?
- How significant is the work to the actual service auditor's findings and conclusions for an SSAE 16 engagement?
- What degree of subjectivity is to be used in evaluating the evidence (interviews, inspections, documents, and other supporting evidence) to support the actual conclusions
Relying on Work Performed by Internal Auditors
And if the service auditor is to actually rely on the work performed by the internal audit function, then the service auditor will have to perform procedures on the work for determining its applicability, relevancy, and adequacy in regards to an SSAE 16 engagement. Thus, the service auditor will have to determine if the actual work was performed by the internal audit function, properly supervised, reviewed and documented accordingly, along with sufficient evidence to draw conclusions, for which these conclusions are appropriate and acceptable. Lastly, any exceptions found and disclosed by the internal audit function must be resolved. If your organization is seeking SSAE 16 compliance, contact a well-qualified, PCAOB CPA firm who specializes in SSAE 16 engagements.
North America's Leading Provider of Fixed-Fee SSAE 16 SOC 1 & SOC 2 Audits - Let's Talk!
When it comes to providing high-quality, fixed-fee SSAE 16 SOC 1 and SOC 2 audits, NDB Accountants & Consultants, LLP (NDB) stands head and shoulders above other provides. We’re much more than just CPA’s and auditors – we provide the full lifecycle of services and support mechanisms for ensuring your audits is success from day one. Contact Christopher Nickell, CPA, today at email@example.com, or call him directly at 1-800-277-5415, ext. 706. NDB also offers compliance reporting for PCI DSS, HIPAA, HITECH, FISMA, DFARS, GLBA, Regulation AB, and so much more.