1. User organization —The entity that has engaged a service organization
and whose financial statements are being audited
2. User auditor —The auditor who reports on the financial statements of the user organization
3. Service organization—The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system
4. Service auditor —The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements.
The new service organization reporting standard is Statement on Standards for Attestation Engagements (SSAE) No. 18 effective May 1, 2017, (CurrentlySSAE 16) supersedes the Statement on Auditing Standards SAS 70 with the professional guidance on performing the service auditor's examination. The new standard mirrors a global standard called the International Standard on Assurance Engagements (ISAE) 3402 issued by the International Auditing and Assurance Standards Board (IAASB).The SSAE 16 standard is pronounced by the American institute of certified public accountant (www.AICPA.org) for use of a service organization. The SSAE 16 criteria are used to evaluate the internal control environment of an service organization as part of a financial statement audit of the user organization.
The standard requires service organizations to demonstrate controls in operations and its design to achieve objectives set forth. SSAE 16 report is attested by an Independent Auditor. The auditors are subjected to training, continuous professional education by the AICPA. Further, the engagements are subject to peer reviews periodically. The standard provides for two types of reporting Type 1 and Type II. .
Formerly the SAS 70 ( now SSAE 16) has been used internationally for years. Service organizations have been through an in-depth audit of their control activities (such as safeguards on information technology). This is especially important in cases where data is regulated and/or sensitive (such as in HIPAA or Sarbanes-Oxley-SOX- compliance) –where it is essential to know that service organizations managing this data have effective and well-documented controls in place that preserve the confidentiality, integrity and privacy of data being stored, processed and transmitted.
SOX-404 and PCOAB Service organizations, as outsourcers and providers of services to public companies, are subject to the same level of scrutiny of their internal controls. Public companies cannot outsource their responsibility to examine the control environment and may be subject to fines/penalties for deficiency of effective controls over ICFR.
Bottom line: Passing a SSAE 16 is essential for compliance with regulatory requirements. But there’s more- Think beyond legalities. If you own a company that sells outsourced services (such as payroll services, data management, or claims processing) that can significantly affect the financial health of a user organization, getting a clean bill of health from a SSAE 16 engagement sends a strong signal of trustworthiness to your existing and prospective clients. This provides assurance that you have the controls and safeguards needed to preserve the security, availability process integrity or privacy of the information you manage. “Trust us with yours.”
Think of the SSAE 16 as your company’s “Best Practices”. Now sit on the other side of the table. If you are a user organization and your company uses service providers , an SSAE 16 provides a level of confidence that these service organizations, handling your most confidential and valuable information, have the procedures and controls in place to give you the required assurance that access controls for data are in place
SSAE 16 reporting is applicable to the audit of the financial statements of the user organization that obtains services from a service organization that are part of its information system. A service organization's services are part of the user organizations’ information system if they affect any of the following:
• The classes of transactions in the user organization’s operations that are significant to the user organization’s financial statements
•The procedures, both automated and manual, by which the user organization’s transactions are initiated, authorized, recorded, processed, and reported from their occurrence to their inclusion in the financial statements
• The related accounting records, whether electronic or manual, supporting information and specific accounts in the entity's financial statements involved in initiating, recording, processing and reporting the user organizations’ transactions.
•How the user organizations’ information system captures other events and conditions those are significant to the financial statements.
•The financial reporting process used to prepare the user organizations’ financial statements, including significant accounting estimates and disclosures.
Knowing how much extra value and assurance a SSAE 16 can deliver, many clients find that it makes sense to take steps to ensure a more successful outcome, including hiring experts who are skilled in helping companies be more thorough and thoughtful in how they approach their audits. Preparing for a SSAE 16 engagement is a matter of clear thinking and smart planning. Working with a consulting company such as ECOM helps you dig into areas such as incident response programs, change management processes and how vendors are monitored and managed in advance of the actual audit in order to identify and resolve questions and problems.
In a Type I engagement , the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to
(1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and
(2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date. A Type I report can be for either a SOC 1, or SOC 2 as explained below depending on the objectives of controls and services being provided.
In a Type II engagement , the service auditor will additionally express an opinion and report on the subject matter provided by the management of the service organization as to; (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives. A Type II report also can be for either a SOC 1, or SOC 2 as explained below depending on the objectives of controls and services being provided. .
|SSAE 16 Comparison||Type 1 SSAE 16||Type 2 SSAE 16|
Reports on Compliance
|•Report is as of point in time (i.e., as of 12/31/200X)
• Looks at the design of controls – not operating effectiveness
• Limited use & considered for information purposes only
• Not considered useful for purposes of reliance by user auditors
• Not used as a basis for reducing the assessment of control risk below the maximum
• Generally performed in the first year that a service organization has a SSAE 16 requirement.
|• Report covers a period of time, generally not less than 6 months and not more than 12 months
• Differentiating factor: Includes tests of operating effectiveness
• May provide the user auditor with a basis
• Requires more internal and external effort
• Identifies instances of non-compliance of the stated control activity
• More emphasis on evidential matter
|Service Organization Controls (SOC) 1 or SOC 2||SOC 1||SOC 2|
||•Address Controls Related to User Entities’
Internal Control over Financial Reporting (“ICFR”).
It is used by service organizations affecting financial reporting of user organizations.
E.g. payroll processors, claims processors.
• Reports for user auditor, management of user/service Organization.
|• A SOC 2 report conveys trust and assurance to users of the system that the service organization has deployed an effective control system to effectively mitigate operational and compliance risks that the system may represent to its users.
It addresses Service Organization Controls using Trust Services Principles & Criteria for service organizations to apply and report on controls that may affect users of their service. A SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are:
• Software as a Service (SaaS) and Application Service Providers (ASP)
• Payroll Organizations
• Fulfilment and Mail Order Companies
• Third Party Administrators (TPA) for Health and Benefits, Property and Casualty and Self-funded and Cobra
•Taft Hartley Organizations
• Medical Claims Processors
• Medical Billing Applications
•Data Centres/Co-Location Centre’s
• Managed Services Centre’s
• Card Payment Industry Transaction Entities
• Market Research Firms
• Online Market Rebate Firms
• Lockbox & Payment Collection Entities
• Knowledge Management (KM) Systems
• Customer Relationship Management (CRM) software applications
• Sales and Use Tax Entities
• Local and State Tax Procurement and Processing Departments
• Call centers
• Mortgage Service and Payment Entities
• Business Process Outsourcing (BPO) Entities
• Insurance Organizations-Excess & Surplus Lines (E&S)
• Title Companies
• I.T. Managed Services Entities
• Skip Tracing Entities
• Customer Life Cycle Management Entities
• Medicare Part D Software and Consulting Firms
1. Planning and Readiness Assessment
• Define expectations and project roles.
• Preliminary interviews / questionnaires conducted to gain understanding of requirements.
• Client information request list prepared and distributed.
• Analysis of client-prepared information performed and client feedback provided.
• Project timeline (including estimates of client hours) / plan created and
• Modifications made based on client discussions.
2. Identification of Controls
• Control objectives and activities written through collaboration of our team and client management.
• Planned testing procedures submitted to client for each control activity.
• Discussion regarding content of introductory sections of SAS 70 report.Key Steps in SAS 70 Audit Proc
3. Testing of Controls / Fieldwork
• Kickoff meeting conducted with all stakeholders.
• Audit inquiries and walkthroughs performed by audit team to confirm understanding based on control objectives.
• Testing procedures finalized and reviewed by client personnel to determine feasibility.
• Audit team performs testing of each control activity to assess operating effectiveness during test period.
• Test results communicated and exceptions are resolved, if possible.
• Closing meeting conducted to finalize project results, timing of report issuance, and discuss management recommendations.
• SAS 70 audit report is drafted through inputs from both the audit team and client management.
• Engagement finalization tasks performed by audit team: final work paper review, draft report review, and any necessary modifications.
• Client approves final version, audit quality assurance performed, and report is issued.
5. Ongoing Support
• Participation in meetings/ answer questions of user organizations and their auditors
• Consultation with management regarding organizational or operational changes affecting SAS 70.
The SSAE 16 defines the standards used by a service auditor to assess the internal controls of a service organization. The control objectives and activities vary based on the scope of the SSAE 16 and client operations. The relationship between the service organization and the user organizations must be viewed to help determine the controls that should be included in the engagement. In addition, the impact on the user organizations financial statements will also be the determining factor as to whether controls at the service organizations are in the scope of the SSAE 16. The following outlines typical categories for control activities that are included in the description of controls for most SSAE 16 reviews:
General Computer Controls
• Logical security ( passwords, 2 Factor etc)
• Physical and environmental security
• Network security (firewalls, intrusion prevention)
• Change management
• Data retention and storage
• Disaster recovery / business continuity
• System documentation
There are also application-specific control activities that will vary based on the client systems that have been implemented. For example, the system application(s) of a thirdparty payroll provider would normally be reviewed to understand the automated controls around transaction processing..
Financial (“Back Office”) Controls
In many instances, the financial controls of the service organization affect the financial reporting (ICFR) of the user organization. This is a typical case for the SOC 1 engagement . The planning stage of the SSAE 16 includes discussions with user organizations and analysis of operations to determine the financial controls (if any) that should be in scope for the engagement. Along with our testing of these control activities, we will also consider the overall control environment (organizational structure, ‘tone at the top’), how management assesses its risks, information and communication (how information is communicated and transferred throughout the company), and monitoring (how the effectiveness of internal controls is being assessed within the organization).
Why Us ?
We provide end to end process for SSAE 16, SOC 1/ AT 101 Engagements. With data moving into the Cloud and increased use of BIG DATA, Cloud Security and Privacy concerns are on the rise. We conduct integrated Cyber security engagements with privacy engagements. AICPA has developed the SOC reporting framework for privacy, which can help organizations to ascertain their level of maturity for privacy. With more stringent regulations like HIPAA, EU-GDPR and enforcement of these privacy issues are causing nightmares to organizations.
Some of the advantages of working with Us are:
Download our SSAE 16 Services
Download our SOC 2 for Cloud Services
Download our SOC 2 for HITRUST/HIPAA Services
Download our GDPR Readiness Services