SSAE 16

What is SSAE 16 | SOC

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is an independent audit examination and report on Service Provider Organization’s specific controls pertinent to the services they provide.

The objective of Service Organizations is to provide assurance and confidence to their clients and potential clients that the information and resources they are entrusted with, are appropriately secure and to ensure that sufficient security controls and safeguards are in place to protect their clients from data breach infiltration and exfiltration. This objective can be achieved by service providers by having them undertake an independent audit of their Service Organization’s security controls (SOC), and having a tangible SOC Audit Report made available to all clients including  would be clients.

The SOC Audit is focused on an examination of controls relevant to the services the organization provides and broadly applies to its operations and IT security controls. The SOC audit will provide security assurance attributes such as confidentiality, processing integrity, availability, privacy, and when applicable, customer financial reporting controls.

Why Should a Company Get an SSAE 16 Audit Report?

SSAE 16 audit reports can be an effective marketing tool to distinguish a service organization from their competitors, to attract new clients, and to strengthen existing client relationships. The SSAE 16 report enables service organizations to project a strong and trustworthy image to their customers with regard to their ability to preserve the clients’ information security.

Conversely, the absence of SSAE 16 certification and audit report may be detrimental as SSAE 16 reports have become standard security and validation tools for service organizations. Service provider customers may cancel existent service contracts and potential business customers may not even consider the services of a third party service organization that has not obtained an SSAE 16 certification.

The benefits of undergoing such an SSAE 16 Audit and Certification

• The development of a marketing advantage for acquisition of new customers and retaining customers.
• Improved qualification for securing new business opportunities requiring SSAE 16 or SOC 2 compliance
• To build improved efficiency when responding to client security questionnaires and audits
• The creation of increased stakeholders confidence

Three Types of SOC Examinations Services

There are three types of SOC examinations and reports defined to address distinct user requirements as follows:

SOC 1 | SSAE 16 (formerly SAS 70)

If your company (the Service Organization) performs outsourced services that are relevant to internal controls over the financial reporting of another company (the User Organization), your company will more than likely be asked to provide an SSAE 16 report, especially if the User Organization is publicly traded. Services that are relevant to internal controls over financial reporting’ can range from providing access controls over financial data to recording or manipulating financial data for the User Organization.

The primary purpose of an SSAE 16 report (also referred to as a SOC 1) is to provide User Organizations and their financial statement auditors with an understanding of the services being provided and a Service Auditor’s opinion as to whether the description of the system of controls is fairly presented, and the controls are suitably designed.

SOC 2

SOC 2 engagements (isn’t audit a better word?) evaluate and report on controls at Service Organizations relevant to selected Trust Services Principles and Criteria that include: Operations and IT Security that covers Availability, Processing Integrity, Confidentiality and/or Privacy.

SOC 3

SOC 3 WebTrust and SysTrust for Service Organizations.
The Trust Services Principles and Criteria are a set of professional attestation and advisory services that form the basis for both the WebTrustTM and SysTrustSM Services. The Trust Services are a broad-based set of principles and criteria put forth jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to maintain the privacy and confidentiality of information. In today’s global economy, companies are relying more and more on complex and powerful information technology systems. In order to gain the trust of key stakeholders, many companies choose to undergo a WebTrustTM or SysTrustSM audit which is performed by an auditor when a SOC 1 SSAE 16 or SOC 2 audit is not appropriate.

Three Levels of SOC Audit Services and Reports

• SOC Readiness Services

This service is designed to assist service organizations in assessing their preparedness for a SOC examination. Readiness Assessments are non-attest consulting engagements that are designed to identify gaps in controls and advise the service organization of necessary corrective actions in preparation for the SOC examination.

• Audit Report Type 1

Type 1 is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified “point in time”.

• Audit Report Type 2

Type 2 is a report on the fairness of the presentation of management’s description of the service organization’s system, the suitability of the design, and operating effectiveness of the controls to achieve the related control objectives as included in the description throughout a specified “period of time”.

Time and Expense

Not every SSAE 16 audit has the same requirements. Each company’s requirements can vary depending on the type of services they perform for their customers. We have years of experience working with many varied types of companies and industries. We work with our clients to ensure that appropriate scope is identified and customers’ needs are satisfied.

The typical audit will require 4 to 6 weeks of resources to complete an audit, 1 to 2 of those weeks we will be onsite to conduct the site visit.

During the audit process we will provide you with a dedicated Compliance Specialist available to answer questions and to ensure that your company’s management is involved throughout the process.

Guide for selecting appropriate SOC or any combination

SOC 1 | SSAE 16 if:

• Your services are included as part of your customer’s financial statement
• External or financial auditors will be receiving the report
• Your clients request verification of controls applicable to their financial reporting

SOC 2 if:

• Information security is required by your client (Confidentiality, Integrity, Availability and Privacy)
• You are cloud service provider
• Protection from cyber threat is required

SOC 3 if:

• Your organization plans to make the report publically available to users (for marketing or posting on the website)

Sample service provider organizations

• Application Service Providers
• Claims Administrators
• Data Centers
• Third Party Administrators
• Payroll Providers
• Trust Departments
• Web Hosting Providers
• Cloud Computing
• Customer Support
• Managed Networks and Computing Systems
• IT Outsourcing
• Health Care Claims Management
• and more