SSAE 16 will require many service organizations to re-calibrate many aspects of their annual compliance initiatives and directives regarding the new attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, unlike the SAS 70 auditing standard, SSAE 16 requires a written assertion by management along with a description of its “system”. Additionally, service organizations will also benefit from having all facets of the new standard explained to them in greater detail, ultimately allowing for enhanced clarity and understanding of the overall scope, requirements and deliverables of the SSAE 16 standard. Additionallly, learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
In short, there’s much more to SSAE 16 for service organizations than just developing a description of its “system” along with a written assertion by management. As such, an SSAE 16 Readiness Assessment will help unearth fundamental topics such as the internal audit function, the concepts of “criteria” and “monitoring” along with other essential subject matter.
Topics to cover within an SSAE 16 Readiness Assessment would include, but are not limited, to the following:
- Gaining a comprehensive and in-depth understanding of the new SSAE 16 standard and how it differs, but also relates to, other well-known country and region specific standards, such as SAS 70.
- Conducting a scope analysis for an SSAE 16 engagement, which would include the following:
- What relevancy, if any, does the prior SAS 70 Type 1 or Type 2 report have in relation to the new SSAE 16 standard? For example, how much information from the previous SAS 70 description of “controls” can be used within the description of its “system” for SSAE 16 reporting?
- What control objectives and related controls are to be used that will form the basis for SSAE 16 reporting and do they effectively meet requirements set forth by user entities for reporting purposes?
- Have all subservice organizations been identified, and if so, will the “carve-out method” or the “inclusive method” be used regarding these entities?
- How many physical locations are to be included within the scope of an SSAE 16 engagement for the service organization?
- What time period will be used for SSAE 16 reporting?
- Does the service organization have in place an “internal audit function”? If so, what are its roles and responsibilities, and may the service auditor rely on its work?
- Note: Expert guidance should be provided to the service organization for developing a comprehensive description of its “system” along with a written assertion by management for SSAE 16 reporting.
- Additionally, a well-qualified CPA firm specializing in SSAE 16 compliance will be able to provide the service organization with a series of SSAE 16 Readiness Assessment Questionnaires; a series of highly customized templates and questionnaires directly related to one’s business environment. These are essential in helping scope an SSAE 16 engagement along with identifying any gaps and weaknesses that will need to be remediated before the actual audit begins.
- Lastly, additional resources such as policies, procedures, and other essential documents may be provided to the service organization for helping prepare them for SSAE 16 compliance.
In summary, an SSAE 16 Readiness Assessment is a useful and proactive tool in helping any service organization meet their new reporting requirements in a seamless, efficient, and cost-effective manner.
Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today to begin your SSAE 16 Readiness Assessment process.