Questions and Answers

Common questions on rapidly changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

For purposes of SSAE 16, the "internal audit function" are the personnel within a service organization who perform the roles and responsibilities of an internal auditor.  The personnel that consist of the "internal audit function" can also be other personnel who perform similar roles to that of an internal audit, such as third-party entities or other even other personnel within the service organization itself.

The service auditor conducting an SSAE 16 engagement on a service organization has an obligation to determine if an "internal audit function" exists, and if so, what are their roles and responsibilities within the organization.

Additionally, as defined within the actual SSAE 16 standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), a service auditor, after determining if an "internal audit function" actually exists, should conduct the following procedures:

  • The objectivity, professional care of the internal audit function and the ability of the service auditor to effectively communicate with them.
  • What is the nature of the work conducted by the internal audit function, its significance to the SSAE 16 engagement, along with evidence gathered and the conclusions made?
  • If the service auditor is to rely on the work performed by the internal audit function, what procedures will the service auditor perform themselves on this work?

Please keep in mind that many service organization may not have a formalized internal audit department, but may have personnel that perform similar duties.  If this is the case, then a service auditor has an obligation to determine their roles, responsibilities and the work they perform for purposes of applicability to an actual SSAE 16 engagement.  Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy PacketsThey truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.

Learn more about the internal audit function and its importance on SSAE 16 reporting.  Additionally, if you are seeking a well-qualified, PCOAB CPA firm to help your organization prepare for the new reporting requirements for SSAE 16, contact NDNB today.

Since 2006, NDNB has been setting the standard for security & compliance regulations