May 20, 2018

SSAE 16 Compliance

Warning: Illegal string offset 'keywords_time' in /homepages/27/d172822364/htdocs/ssae/wp-content/plugins/internal-link-building/Internal_Link_Building.php on line 103

The path to successful completion of a SSAE 16 (SOC1) can be a rigorous and expensive process, however, it can also make or break a business depending upon the service model and outsourced services performed. Many businesses (Public and Private) are moving towards the use of outsourced services and will require their service providers to be audited; either through the performance of an SSAE 16 or by sending their own auditors. An SSAE 16 can either be issued with a non-qualified (clean) opinion or qualified (exceptions noted) opinion, but can never be considered “SSAE 16 Compliant”. Lately, many companies are guilt of using terminology such as “Being in Compliance with SSAE 16″, “SSAE 16 Compliant”, and “SSAE 16 Certified” on their websites and marketing material. This can create a false sense of assurance that just because an audit is performed, no exceptions were identified during testing (qualified opinion) or that the controls appropriately cover all significant process.

Below is a quick rundown of the SSAE 16 process:

  • Find an appropriately qualified Service Auditor to perform the testing
  • Create an internal team comprised of the department heads which will be most impacted by the audit.
  • Initiate a planning meeting with your Service Auditor to appropriately scope the project and spot any potential issues that can be avoided with proper preparation.
  • Perform a SSAE 16 Readiness Assessment
  • Learn from any findings, tweak controls, and perform remediation activities.
  • Have discussions with internal stakeholders to verify all issues were appropriately remediated
  • Discuss with your Service Auditor the differences between an SSAE 16 Type I or Type II engagement and choose which report fits your current environment best.
  • Perform your Type I or Type II audit
  • Obtain the final report from your Service Auditor and distribute to applicable clients

While you will never be SSAE 16 Compliant – If you perform the proper planning and business activities – You can have an unqualified SSAE 16 Report to distribute!