The SSAE 16 SOC 1 standard requires management of the service organization to provide a description of its “system” along with a written assertion to the service auditor, both of which require careful attention and preparation by management themselves.
Description of its System
For SSAE 16, a service organization’s description of its “system” should be looked upon as the following: The services provided, along with all supporting processes (technology or manual), policies, procedures, personnel, and operational activities that aid and facilitate the daily functioning of the service organization’s core activities that are relevant to user entities.
A service organization’s description of its “system” should encompass these main attributes, but one should expect to see variations in the descriptions of these “systems”, due in large part to the differences that exist amongst service organizations themselves.
For example, a Software as a Service (SaaS) entity describing and documenting its “system” will differ noticeably from that of a Third Party Administrator (TPA) of medical claims describing their “system”. In short, no two service organization “systems” are alike, but entities should strive to include all necessary information when presenting their description of the “system” to the service auditor. Learn more about
Thus, the framework for documenting a service organization’s system for purposes of SSAE 16 should include a comprehensive discussion of the following components:
- The services provided along with the classes of transactions processed.
- The procedures used, from beginning to end, both automated and manual, for the transactions (i.e., the flow of the transactions and all activities, from initiation to correction of errors, as necessary).
- How the system captures addresses significant events and conditions along with what processes and procedures are used to prepare and report information as necessary to user entities.
- The control objectives, related controls and user control considerations
- The service organizations elements of internal control, which are generally based on the COSO framework consisting of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring
SSAE 16 written assertion by management
Management of the service organization must also produce a "written assertion" for purposes of SSAE 16 reporting, which is to "assert" that (1). management description of the service organization's "system" is fairly presented, (2). that the controls and related control objectives were suitably designed and (for purposes of SSAE 16 Type 2 reporting), were operating effectively.
Any service organization undertaking SSAE 16 compliance should seek assistance and guidance from a qualified SSAE 16 auditing firm for gaining a comprehensive understanding of the written assertion by management.
Lastly, for purposes of SSAE 16 reporting, the actual written statement of assertion according to the SSAE 16 publication released by the American Institute of Certified Public Accountants (AICPA), states that it may be included in or attached to management's description of the service organization's system. This provides flexibility to the service auditor for purposes of drafting the final SSAE 16 report. A number of practitioners have noted that service auditor's performing SSAE 16 engagements should also require management of the service organization to produce the actual written statement of assertion on their own letterhead, much like that of a management representation letter. Want to receive a competitive, fixed-fee for SSAE 16 Type 1 and Type 2 compliance? Then please contact us today or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.