The SSAE 16 Audit Process
After the sale and signed engagement letters this is what to expect during the audit process.
Scoping Call
Introduction to the audit process and submission of the initial audit survey. The survey is designed as a preliminary readiness assessment. During the scoping call, the auditor will outline general controls or principles to be included in the audit and any relevant application specific controls. Discuss with management what requirements, if any, of the user organizations (your clients) are.
Other key components of the call:
- Determine project management leads – exchange contact information
- Discuss the audit process
- Specify the audit period
- Collect application specific information
- Assign secure portal login and password – submitted to project lead
- Determine survey completion date
- Discuss preliminary onsite dates
Testing Locations and Parameters
Once the audit scope has been determined make sure that all proposals include a discussion of what physical locations (if the client more than one location) will be included in the scope of the audit and how many visits will be required.
Survey Completion
Client completes the survey and auditor creates non-application and application specific control objectives or principles and submits to client. This document forms a baseline for the audit plan and the service auditors testing.
Management approves the audit plan
- Begin gathering of artifacts
- Onsite Readiness – Auditor to determine what is needed prior to onsite.
- Perform Onsite testing
- QA all submitted audit evidence – ensure that the evidence collected is in scope and current for the period under review.
- Management Update – Describe to management the audit progress and discuss any outstanding issues.
- Draft Report creation – Create report within 2 weeks of onsite (schedule permitting).
- QA review
- Client review
- Report finalization