SSAE 16 controls form a critical component of any type of SSAE 16 assessment, as they play a large role in ultimately determining what areas within a service organization's control environment are going to be evaluated and possibly tested (SSAE 16 Type 2 assessments) for compliance. But much like the historical SAS 70 auditing standard, SSAE 16 allows for a high degree of flexibility regarding SSAE 16 controls, specifically in regards to the actual language of the control objectives themselves, the areas they evaluate and test, along with other critical issues. And because unlike PCI DSS compliance, which is prescriptive in nature as defined by the 12 specific PCI DSS "Requirements" and supporting tests, SSAE 16 relies on the service organization to ultimately assess and determine what controls are to be included. That's easier said than done, so take note of the following 5 important points to know about regarding SSAE 16 controls.
1. Control objectives often differ from one report to another: Much like the historical SAS 70 auditing standard, there are no "hard and fast", required control objectives to use for SSAE 16 - rather - recommendations and suggestive ideas for which the service organization and the service auditor (i.e., the practitioner performing the actual SSAE 16 Type 1 or Type 2 assessment) have agreed upon for the scope of the assessment. Additionally, as to how the control objectives are developed - specifically regarding their language and the frameworks used - that can come from any number of sources, such as the numerous industry frameworks, organizations, and associations that publish such information (i.e., ISACA and their COBIT framework, COSO, Cloud Security Alliance (CSA), and many, many others). This "flexibility" in developing and ultimately using control objectives specifically tailored to a service organization's needs creates a high level of customization, but can also lead to confusion by some, as the following phrases were often stated for SAS 70 and are now very much part of the SSAE 16 controls discussion:
• "Why is my SSAE 16 report so different than another company's in the same industry?"
• "We've had two different CPA firm perform our SSAE 16 assessments over the past two years, and they both provided reports that had noticeable differences in the control objectives used for testing."
Take the good with the bad, as they say, and expect these issue to continue into the foreseeable future regarding SSAE 16 controls.
2. General Controls often form the basis of SSAE 16 controls: For the most part, you should see a number of similarly related general controls from one SSAE 16 report to another. Thus, regardless if an SSAE 16 assessment is being conducted on a technology based Software as a Service (SaaS) organization - or on a traditional, brick and mortar type business - such as a third-party-administrator (TPA) of medical claims, the following areas will typically be inquired and tested (if performing an SSAE 16 Type 2) with SSAE 16 general controls applicable to them:
• Executive Tone | Senior Management Directives
• Human Resources
• Change Management
• Logical Security
• Network Security
• Physical Security
• Environmental Security
• Computer Operations | Media Backup
When you start getting into a service organization's specific business process, that's where the differences in SSAE 16 controls really come to light.
3. SSAE 16 Controls for Specific Business Processes: Where you'll start to see notable difference within SSAE 16 controls from one report to another are those controls related to an organization's business process. The "business process" is essentially the services performed and the related activities undertaken by a given service organization. For example, a third-party-administrator (TPA) of medical claims facilitates claims pricing, payment, disbursement and other procedures relating to medical claims. As such, a competent, well-qualified CPA firm would discuss these issues with the service organization and agree upon SSAE 16 controls specific to claims administration. In summary, if a service organization's business process is to be included within the scope of an SSAE 16 assessment, then SSAE 16 controls applicable to one's business process are to be identified.
4. Testing for SSAE 16 Controls vary greatly. Another issue with SSAE 16 controls are the number of tests used (again, only if a Type 2 assessment is being done) to "test" the validity of the control objective itself. For example, two different SSAE 16 Type 2 reports both have a control objective for testing Change Management, one report has 6 tests, while the other may have 10 tests. Who's to say one's right over the other? Unfortunately, it's not that easy, and it often depends of the expertise of the accounting firm, what benchmarks, standards, or frameworks are being used (i.e., COBIT, ISO 27002, etc.) and the "willingness" of the actual service organization to help develop and agree upon the tests for SSAE 16 controls. You'll see this issue time and time again from one report to another, rarely seeing complete unity for the number and type of tests being performed for a particular control objective. It's yet another example of the looseness and flexibility of the SSAE 16 standard itself.
5. Planning, scoping, and speaking with your auditor is key. As you can see, the SSAE 16 controls issue can be quite challenging, especially for service organizations who are new to SSAE 16 reporting and have little or no experience in developing control objectives and related tests. Choose a qualified, PCAOB, CPA firm capable of understanding your needs, your client's reporting requirements, and one that's willing to work with you in a collaborative manner in developing and designing the controls.
Is your organization seeking to become SSAE 16 Type 1 or Type 2 compliant? If so, contact NDB today for a competitive, fixed fee for all SOC 1, SOC 2 and SOC 3 reporting options. Contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 or firstname.lastname@example.org.