Developing SSAE 16 Control Objectives that are related to the ICFR Concept is Critical
Since SSAE 16 is effectively replacing SAS 70, and because the SSAE 16 controls and related assertions need to be based on relevant internal control over financial reporting (ICFR), service organizations need to constructively "re-think" their control objectives. Unlike SAS 70, which became a heavily misapplied auditing standard, the new AICPA SOC framework, for which SSAE 16 falls under, requires service organizations to effectively choose between the SOC 1, SOC 2, or SOC 3 reporting regimens.
Thus, if you are embarking on SOC 1 SSAE 16 compliance, your organization will need to ask itself this question:
What services and controls do we, as a service organization, have in place that affect the internal control over financial reporting (ICFR) for entities that utilize our services (i.e., user entities)?
A significant number of service organizations that previously underwent SAS 70 compliance will no doubt be SSAE 16 candidates, due in large part to the services and supporting controls in place that affect the internal control over financial reporting (ICFR) for entities utilizing their services. Great examples of SSAE 16 candidates are the following:
• Actuarial and Trust Services
• Third Party Administrators (TPA)
• Payroll processors
• Bank Owned Life Insurance (BOLI) and other insurance related entities that performing critical fiduciary functions for their clients.
• Registered Investment Advisors (RIA)
Thus, the first step your organization should undertake in better understanding the ICFR relationship with your services is to develop a series of process-based flow charts that clearly illustrate your business process lifecycle of events, which will ultimately help when developing the description of the service organization's "system," a critical requirement for SOC 1 SSAE 16 compliance. A service organization's "system" can be defined as the following:
"...the services provided, along with the supporting processes, policies, procedures, personnel, and operational activities that constitute the service organization's core activities that are relevant to user entities..."
Once you begin documenting your business process lifecycle, you'll start identifying key areas where critical ICFR elements take root, such as certain activities along with supporting policies, procedures, and processes that begin to define your control environment. You can then begin to formalize control objectives and their supporting control elements. Speaking with a CPA firm qualified to conduct SSAE 16 assessments can also help the process, as they'll have in-depth experience in many of the above listed industries and business sectors. Most helpful in the process is engaging in an SSAE 16 Readiness Assessment, whereby you can get assistance in documenting your business process life cycle and your description of the "system." Additionallly, learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
How do we document and ultimately illustrate these control objectives in a formalized manner necessary for testing by a CPA firm for SOC 1 SSAE 16 compliance?
If you've undertaken SAS 70 compliance in the past, you may very well have developed and tested ICFR control objectives, for which you can "carry over" for SSAE 16 testing. You can also work with a CPA firm qualified to conduct SSAE 16 assessments, but ultimately, these are your control objectives from your control environment, for which management is responsible. With that said, here are some sample generic ICFR control objectives for which you may consider.
• Controls provide reasonable assurance that batch processing transactions are authorized, result in accurate output data, and reconciliation activities are undertaken to confirm such accuracy.
• Controls provide reasonable assurance that I.T. systems capture critical client financial data in an accurate, timely, and complete manner.
• Controls provide reasonable assurance that all necessary reporting activities pertaining to critical financial data are conducted on a structured, regimented basis, resulting in accurate, timely, and complete information.
• Controls provide reasonable assurance that automated and manual controls are in place and utilized for initiating transactions for client data.
Management of the Service Organization will be required to provide the auditor with working documentation of the control environment under evaluation for the SSAE 16. The documentation will usually consist of policy & procedures, narrative descriptions of the controls, organizational charts, business flow-charts, and functional diagrams. These will need to represent not just the control objectives, but also the detail of the control specifications and the overall system of the control design. An Assertion will be provided to the auditor also as either part of the description of the overall control design (system) or as a separate document that details management’s understanding (Management Assertion) of the monitoring and operating effectiveness of the system over the relevant testing period for attestation by the auditor.
Unlike how SAS 70 has been used (or abused) in the past, the auditor should not issue a SOC 1 report without an understanding of the specific and relevant ICFR. Generally, service organizations with relevant control environments to their user but without specific responsibility for identifiable ICFR activities should appropriately define their controls in relation to SOC 2 and/or SOC 3 reporting.
Contact Christopher Nickell, CPA, to receive a competitive, fixed fee quote for all your SOC 1 SSAE 16 needs. He can be reached at 1-800-277-5415, ext. 706.