As for SSAE 16 internal audits and auditors who work on these engagements, it's critically important to know that the actual SSAE 16 standard, which effectively superseded the SAS 70 auditing standard, has put forth information regarding the internal audit function. Specifically, if the actual service organization has an internal audit department or internal audit personnel, then they may possibly play a role in the actual SSAE 16 assessment being conducted by the practitioner (i.e., the CPA performing the SSAE 16 engagement). As such, take note of the following 5 important points regarding SSAE 16 internal auditors and the internal audit function.
1. Determine if the service organization has an internal audit department. First and foremost, it's important to ask the right questions when conducting scoping activities for an SSAE 16 Type 1 or Type 2 assessment. With that said, when working with the CPA firm whose conducting the engagement, make sure to discuss what -if any -functions does your organization have in regards to internal audit. Specifically, are there personnel that perform periodic and/or routine testing of controls related to daily operational activities within your organization? Even more, does your organization outsource internal audit procedures to a third-party entity - and if so - what do they do specifically? Essentially, service organizations need to asking themselves the "who, what, when, where, and why" regarding internal audit activities. In doing so, this will help with proper scoping of the actual SSAE 16 Type 1 or Type 2 assessment, and may even provide some efficiencies.
2. Determine the adequacy of the internal audit function. It's critically important to learn about the personnel involved in the internal audit function, who they are, the work they perform, etc. Essentially, you want to ensure they are professional, competent individuals and the work they've actually performed is objective, unbiased, complete, and accurate. You can't rely on work that's been performed by inexperienced internal audit personnel, nor can you rely on the results of their work either.
3. Determine the nature and scope of the work to be performed. If you find yourself digging deeper into the internal audit function, then that's because points 1 and 2 above have been met in a satisfactory manner, so that can be good news. You'll know need to determine exactly what work is to be or has been performed by the internal audit function within an organization and how it actually correlates to the SSAE 16 Type 1 and/or Type 2 engagement.
4. Determine how significant is the work to the actual service auditor's findings and conclusions for an SSAE 16 engagement. This statement generally runs parallel to the previous issue just discussed. Essentially what it means is once you've agreed on the scope of the internal audit function, how critical, important, relevant, and vital is it to the actual findings for the engagement? For example, was the internal audit function conducting procedures over areas considered high risk, or were they simply testing low-level controls. etc? Each internal audit function will play a vastly different role in each SSAE 16 assessment, so just remember that for an ounce of clarity.
5. Determine the degree of subjectivity that is to be used in evaluating the evidence to support the actual conclusion. In simpler terms, what this really means is how is the evidence (i.e., documentation) obtained from the internal audit function evaluated? What measures are to be utilized for inspecting and relying on the evidence?
As on one can clearly see, the SSAE 16 internal audit and auditor function "can" become an extremely relevant and material component of the overall SSAE 16 assessment process. And remember, because every organization's internal audit function is different, the above steps and related processes and procedures will need to be undertaken, no question about it.
Listed below are additional topic which might interest you regarding SSAE 16: