SSAE 16 / SOC Frequently Asked Questions
How should a service organization disclose it’s controls?
When did the SSAE 16 Standard become effective?
What is an SSAE 16 Standard?
What does it mean if I currently have a SAS 70 and not an SSAE 16?
Is there a list of Standards or Control Objectives?
Is there a list of SSAE 16 Standards or Control Objectives?
What is Service Organization Control (SOC)?
What is the AICPA Service Organization Control SOC 1?
What is the AICPA Service Organization Control SOC 2?
What is a SOC 2 Audit?
What is the AICPA Service Organization Control SOC 3?
How will my Audit report be distributed from Premier Auditors?
What should a Service Organization look for when engaging in an audit?
What should I do if my service provider does not have an SSAE 16 audit?
Who can administer an SSAE 16 audit?
If I engage in an Audit, does my entire organization have to participate in the Audit?
How much does Premier Auditors charge for an SSAE 16 Audit to be performed?
How does a service organization “pass” or “fail” an SSAE 16 Audit?
How often should I renew my SSAE 16 Audit with Premier Auditors?
What is a SAS70 Standard?
SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization’s controls. The audit report (i.e. the service auditor’s report) contains the auditor’s opinion, a description of the controls placed in operation, and description of the auditor’s tests of operating effectiveness (if the report is a Type II). The audit report can be shared with the service organization’s customers (“user organizations”) and their respective auditors (“user auditors”). The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and the respective user auditors. SAS 70 is not a predetermined set of standards that a service organization must meet to “pass”.
How should a service organization disclose it’s controls?
Premier Auditors believes that there are 5 main components as to how a service organization should disclose it’s controls:
1.) Control Activities: the policies and procedures that ensure the employees carry out managements directions. Types of control activities an organization must implement are preventative controls (controls intended to stop an error from occurring) They ensure that necessary actions are taken to address risks to achieve of the entity’s objectives.
2.) Control Environment : the foundation for all components of internal control, providing discipline and structure.
3.) Risk Assessment: the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
4.) Information and Communication: the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities timely, accurately and securely.
5.) Monitoring: the process that assesses the quality of internal control performance over time.
When did the SSAE 16 Standard become effective?
The SSAE 16 effectively replaced the SAS 70 standard on June 15th, 2011.
What is an SSAE 16 Standard?
The SSAE 16 is an auditing standard that addresses report on controls at a service organization. The SSAE 16 is an enhancement to the previous standard for reporting SAS 70 so that it complies with the new international service organization reporting standard – ISAE 3402.
What does it mean if I currently have a SAS 70 and not an SSAE 16?
That is not a problem for Premier Auditors. This simply means that some changes will be required to effectively be reporting under the new SSAE 16 Standard.
Is there a list of Standards or Control Objectives?
NO! Service organizations are responsible for providing their controls and defining their control objectives. There is no published list of standards, however there are principles with related activities that a service organization should have in place as a minimum.
Is there a list of SSAE 16 Standards or Control Objectives?
YES! There are 5 principals that a service organization should consider:
1.)Security: The safety of an entity/organization against criminal activity such as terrorism, theft, or espionage
2.)Availability: An entity’s state of being present and ready for use; at hand; accessible
3.)Processing Integrity: the ability to conduct reliable business activity in a secure, scalable SOA environment with seamless integration at every level.
4.)Confidentiality: ensuring that information is accessible only to those authorized to have access and is protected throughout its life cycle
5.)Privacy: The state or condition of an entity being free from being observed or disturbed by other people, the state of being free from public.
Not all principles apply to every organization.
What is Service Organization Control (SOC)?
Service Organization Control (SOC) is known as either SOC 1, SOC 2, and SOC 3 Reports. These reports are a comprehensive framework put forth by the American Institute of Certified Public Accountants (AICPA) geared towards reporting on controls at service organizations. Unlike Statement on Auditing Standards No. 70 (SAS 70), the SOC framework is a specific set of reporting initiatives aimed at helping to clarify, distill, and bring about much needed transparency for reporting on controls at service organizations. There are a number of necessary elements that helped to form the new SOC reporting framework. Each of the three SOC’s are geared towards very specific needs and reporting requirements for service organizations.
What is the AICPA Service Organization Control SOC 1?
SOC 1 Reporting is on controls relevant to internal control over financial reporting (ICFR). SOC 1 reporting is conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, otherwise known as SSAE 16 along with an accompanying SSAE 16 audit guide.
What is the AICPA Service Organization Control SOC 2?
SOC 2 Reporting is on controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC reporting is conducted in accordance with AT Section 101 and utilizes an audit guide titled “Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy”.
What is a SOC 2 Audit?
This audit report is a higher level of assurance report because an independently predefined set of criteria is used thereby subjecting all service organizations to the same set of standards. This is not the case with SOC 1 audits.
What is the AICPA Service Organization Control SOC 3?
SOC 3 Reporting is on controls relevant to security, availability, processing integrity, confidentiality, or privacy in accordance with general Trust Service Principles. These reports are to be prepared using the AICPA and the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
How will my Audit report be distributed from Premier Auditors?
Premier Auditors will formally communicate the process for distributing their audit report with the service organization. At the end of your companies’ Audit, Premier Auditors will issue a Service Auditor’s Report. The audit report is then provided to the service organization for distribution to their customers also known as user organizations. The user organizations are responsible for obtaining the audit report from the service organization (your company) and then distributing it to their necessary auditors.
What should a Service Organization look for when engaging in an audit?
A service organization should look for all of the qualities that Premier Auditors provide:
1.) Skilled audit professionals that understand the business and information technology controls and processes
2.) Experience in performing service auditor’s examinations
3.) Relevant industry experience
4.) Availability of resources (i.e., bandwidth to deliver the services on time)
5.) Project management skills
What should I do if my service provider does not have an SSAE 16 audit?
Tell them to contact Premier Auditors immediately to prepare to entertain audit requests from their customers.
Who can administer an SSAE 16 audit?
Premier Auditors can perform an SSAE 16 audit along with many other different variations of audits! An SSAE 16 audit can only be performed by an independent certified public accountant or firm. Premier Auditors follows specific professional standards established by the American Institute of Certified Public Accountants. Premier Auditors has multiple professionals that have relevant business process, information technology, or security skills to participate in an audit engagement.
If I engage in an Audit, does my entire organization have to participate in the Audit?
No! The service auditor’s report can be customized to specifically identify the applicable data centers, operating environments, and applications that are covered in the audit.
How much does Premier Auditors charge for an SSAE 16 Audit to be performed?
Premier Auditors’ examination fee structure largely depends on the amount of time that it takes Premier Auditors to perform the necessary procedures in order to render an opinion on the controls placed in operation and the tests of operating effectiveness. In other words the fee structure is determined on a case by case basis. Please see Premier Auditors Fee Structure page for more details.
How does a service organization “pass” or “fail” an SSAE 16 Audit?
At the end of Premier Auditors’ audit examination, Premier Auditors will render an opinion on the following topics:
1.) Whether or not the service organization’s controls are operating effectively over a specified period of time.
2.) Whether or not the service organization’s controls are designed effectively enough.
3.) Whether or not the service organization’s description of controls is presented fairly.
4.) Whether or not the service organization’s controls are placed in operation as of a specified date.
After Premier Auditors can confidently conclude that the items referenced above have been successfully accomplished, Premier Auditors will render what is referred to as an “unqualified opinion. While a SOC 1 audit is technically not a “pass” or “fail” audit, the receipt of an unqualified opinion from the service auditor is often referred to as “passing” the audit. The SOC 2 and SOC 3 are strictly “pass” or “fail” audits. Some times when Premier Auditors’ procedures expose exceptions or control deficiencies, they may conclude that a control objective could not be successfully achieved due a design deficiency or an operating effectiveness deficiency. When this occurs, the service auditor will “qualify” the opinion to indicate that a control objective could not be achieved.
How often should I renew my SSAE 16 Audit with Premier Auditors?
Premier Auditors report (“SSAE16 audit report”) covers a period in time, usually 6 or 12 months, for example December 31, 2011 and will cover a specified period of time (January 1, 2011 to December 31, 2011 in the case of a 12 month reporting period). Service organizations usually have the audit conducted annually, mainly due to the fact the user organizations and their auditors will need assurance that the service organization’s controls are operating effectively for the current fiscal year of the user organization. The same is true for organizations that renew every 6 months.