SSAE 16 audits are commonly performed on entities that perform outsourcing functions on behalf of their clients. Known in the world of regulatory compliance as “service organizations”, these organizations have historically undergone SAS 70 compliance audits, but much has changed with the advent of the new AICPA Service Organization Control (SOC) reporting framework. Specifically, Statement on Standards for Attestation Engagements No. 16 (SSAE 16) has effectively replaced the aging SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. This has resulted in many service organizations simply migrating from SAS 70 to SSAE 16 in hopes of continuing to achieve compliance with the new de facto standard for reporting on controls at service organizations. Though the transition from SAS 70 audits to SSAE 16 audits may seem rather straightforward, there are a number of significant changes that service organizations should be aware of. Furthermore, these changes may also impact cost and scope considerations for the SSAE 16 audit itself.
The major changes from SAS 70 to SSAE 16 are that the new SSAE 16 “attest” standard requires management of the service organization to provide a written assertion, also known as “management’s assertion”, “the written statement of assertion” or any similar variation of language. This assertion requires management to “assert” to a number of essential clauses, such as the fair presentation of the system’s description, the control objectives were suitably designed, along with the criteria used. Secondly, SSAE 16 audits require the service organization to provide a description of its “system”, whereas SAS 70 asked for a description of “controls”. The description of a “system” for SSAE 16 audits is generally seen as a more in-depth and comprehensive illustration of a service organization’s environment when compared to the historical SAS 70 description of “controls”. This requirement alone could result in additional time and efforts on the part of service organizations in writing a thorough and comprehensive description of its “system”. This could in turn also enhance the scope of the SSAE 16 audit as a fair amount of additional information may be included within the “system”, such as additional control objectives and supporting tests for these controls objectives.
However, even with that said, many service organizations (with the assistance of CPA firms) are simply migrating their historical SAS 70 framework onto the new SSAE 16 audit platform, making the necessary administrative changes as required by the new standard, and being issued SSAE 16 reports by the numerous accounting firms providing these services.
With that said, pricing for these services has seen no real increase from a cost perspective, rather, the continuing entrance of more and more CPA firms has resulted in a gradual decrease in auditing fees, especially when looking back on pricing as recently as five years ago. Generally speaking, SSAE 16 Type 1 audits are being performed for $15,000 - $25,000, while SSAE 16 Type 2 audits are ranging from $20,000 - $50,000. This pricing reflects audits conducted at one physical location, whereby auditors do not have to travel to multiple entities to perform fieldwork, as doing so would raise the fees marginally, or even considerably. Additionally, these fees generally include fieldwork conducted at a nearby data center for validating many of the physical security and environmental security controls in place that are often part of the scope for an SSAE 16 Type 1 or Type 2 audit. This is important to note because a large, and growing number of service organization often rely on and/or use a data center in close proximity for their production environments. Auditors in turn, need to assess the control environments of these facilities.
Furthermore, if the facilities are not in close proximity and cost is an important (and often it is!) factor in the engagement, then the CPA firm conducting the SSAE 16 can simply request that data center’s SSAE 16 audit (if they have one) as evidentiary matter of controls in place for physical and environmental security. Again, we'll need to emphasize that these fees are merely ranges, and could change significantly if the scope of the audit increases, often resulting in additional locations to visit for purposes of testing. Organizations should thus undertake an SSAE 16 Readiness Assessment for helping define the scope of the audit itself, while also identifying areas needing remediaiton; measures that will ultimately help in containing unforeseen costs for the engagement.
NDNB's fees for SSAE 16 Type 1 and Type 2 audits is based on years of providing service organizations with a competitive, fixed fee, which essentially includes all costs for the engagement, such as fieldwork, travel, out-of-pocket expenses, report preparation and delivery, and any other miscellaneous expenses. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance