Questions and Answers

Common questions on rapidly changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

SSAE 16 requires service organization's to provide a description of its "system".  There are many ways to describe what a "system" is, thus it's best to define it as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.

In short, a service organization will need to provide a description that adequately identifies and illustrates all critical and material services being provided, the procedures used, from beginning to end, for the transactions, along with how the system captures and also addresses significant events and conditions.

A description of its "system" for purposes of the SSAE 16 standard will also need to include the control objectives, related controls and user control considerations along with the service organizations elements of internal control, which may be based on the COSO framework.

It's interesting to note that while the SAS 70 auditing standard called for a description of "controls", SSAE 16 requires service organizations to provide a description of its "system". Thus, some service organizations may find themselves making significant changes to their previous description of "controls" for ensuring they meet the new requirements for SSAE 16.  Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy PacketsThey truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.

So, what essentially is the key difference between the SAS 70 description of "controls" vs. the SSAE 16 description of its "system"? Many practitioners (i.e., service auditors) feel that the SSAE 16 description of its "system" is looked upon as a more comprehensive and expansive illustration of services being performed by the actual service organization than that of the previous SAS 70 requirement for the description of its "controls".

Consultation with a well-qualified, IR CPA firm specializing in SSAE 16 compliance can help answer these questions for you by providing your organization with a roadmap consisting of templates, checklists, and other tools for helping produce an acceptable description of its "system" for SSAE 16.

Since 2006, NDNB has been setting the standard for security & compliance regulations