As for Items 6 through 10 of the SSAE 16 audit checklist, please note the following:
6. Assign roles and responsibilities to internal personnel. Again, another concept that sounds relatively straightforward, yet challenges often arise when deliverables come due. From answering SSAE 16 readiness questionnaires offered up by CPA firms, to gaining valuable audit evidence, roles and responsibilities need to be clear and transparent. Don’t forget that many times the writing of policies and procedures becomes a strict mandate for SSAE 16 compliance, so start thinking of somebody who has excellent authoring skills. From network security policies, to backup policies, change control processes – and many others – the need for operational and information security polices for SSAE 16 compliance is real indeed.
7. Assist in authoring the final report. The actual deliverable for a SSAE 16 engagement is known as the Service Auditor’s Report, a lengthy document that highlights numerous operational and business process activities undertaken by the service organization. This is technically known as the description of the “system”, and service organizations are required to produce one. Look upon the description of the “system” as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The key to authoring a well-written and comprehensive description of one’s “system” is to work with a CPA firm specializing in SOC 1 SSAE 16 compliance, such as NDB Accountants & Consultants.
8. Provide a written statement of assertion. Along with the description of its “system”, management of the service organization must also provide a written statement of assertion as part of its SSAE 16 reporting requirements. The “assertion” – as it’s commonly called – is essentially a document for which the service organization is asserting to a number of essential clauses and provisions regarding the SSAE 16 assessment process itself. Your CPA firm conducting the engagement can provide you with a written statement of assertion template. Interestingly, the assertion was never a requirement with the previous SAS 70 auditing standard, which had been in place for approximately twenty (20) years (April, 1992 to June 15, 2011).
9. SSAE 16 is a moving target, so plan accordingly. SSAE 16 is not a "one and done" concept, sure, the actual SOC 1 SSAE 16 Type 2 assessment may only be done once a year, but service organizations should strive to conduct activities on a quarterly basis for assisting with one's compliance mandates. Specifically, gathering audit evidence and working with your external CPA firm conducting the annual assessment is a smart move, one that results in efficiency for both sides. Talk to your CPA and establish quarterly milestones throughout the year for your annual SOC 1 SSAE 16 Type 2 report.
10. Determine the appropriate users of the report. In recent years, there’s been much debate on who can obtain a SOC 1 SSAE 16 report – and more importantly – what part of the report should be distributed. Generally speaking, only “intended users” should be given access to a SSAE 16 report – and even then – only a brief summary, such as the auditor “opinion page” should be released. However, many “intended users” prefer or even demand access to the entire report. The point is to readily assess your client’s demands regarding SSAE 16 reporting, and what specifically they expect to receive in terms of reporting.
Read Part I of the SSAE 16 audit checklist.
Interested in receiving a competitive-fixed fee for all your SOC 1 SSAE 16 reporting needs? Then contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext 706 today, or email him at email@example.com. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.