May 20, 2018

SSAE 16 Audit Process

Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

The SSAE 16 Audit Process will be time consuming, but, will save your company time, money, and effort in the long run as User Organizations may be required to send their auditors to your facility depending upon contracts in place and their financial reporting requirements.

For a brief overview of the SSAE 16 (SOC 1) Audit Process, please see below:

  • On-site consultation to support management in pinpointing the control objectives and control procedures.
  • Present guidance to management regarding the adequacy of their control objectives and controls.
  • Execute the on-site testing at various points in time during the testing period to ascertain the effectiveness of the controls put into operation as well as the operating effectiveness of the controls for Type II reports. Testing typically includes inquiry, inspection, and observation.
  • Preparation of the draft report to be evaluated by the service organization for accuracy and completeness of the details.
  • Distribution of a findings memo to management noting any control deficiencies uncovered throughout the course of the review.
  • Delivery of the SSAE 16 report in hardcopy and electronic PDF format.

Some issues to be aware of:

The audit should be limited to the area(s) of the business which the service offering under review touches as it is being performed. If controls are being tested that do not have a correlation to the service under review, they should be excluded. Having superfluous controls in place will lead to more complex, higher cost, and a higher chance for a failure on the report.

An SSAE 16 (SOC 1) can only be performed by a CPA or CPA Firm, however, a readiness assessment and control design can be performed by any consulting firm with the experience to do so. Be careful though, choosing a lower cost provider for some services may not always be the best option and could lead to your CPA Firm requiring additional time/fees to fix the issues.