Saturday, March 10th, 2012
SSAE 16 Type 1
An SSAE 16 type 1 is a management report describing system and design of controls suitability of a service organization. This report bears the following; a management’s written assertion about the service organization that presents fairly it’s systems as designed as well as carried out in time according to schedule. It also lays out how the controls are related to the objective laid down in the systems for the service organization description and seeing that they were well designed to acquire the control objectives in time. The SSAE 16 Type 1 also has the service organization’s system well described and an assurance report from the service auditor.
This is the latest standard set by AICPA, which is better than the SAS70 standard that was introduced in June of 2011.It provides an unbiased third party assessment of management’s claim that the policies and procedures of a service organization were appropriately drawn at a time when the control objectives specified can be attained.
Thursday, February 2nd, 2012
SSAE 16 – the standard
SSAE 16 stands for Statement on Standards for Attestation Engagements No. 16. It is an auditing standard put forward by Auditing Standards Board (ASB) of American Institute of Certified Public Accountants (AICPA). It has been launched recently. It is the new attest standard. It has replaced the already existing SAS 70 standard. For reporting periods which are ending on or after 15 June 2011, this standard has become compulsory for control reporting at a service organization. This transition from SAS70 to the new standard is an adoption to more globally accepted accounting principles and will help to comply more closely with the international service organization reporting standard –ISAE 3402.
Wednesday, December 28th, 2011
SSAE 16 vs. SAS 70
To understand the difference between SSAE 16 and SAS 70, we must first understand the broad definition and framework under which both these standards operate:
SAS 70: Statement of auditing standards number 70 or SAS 70, as it is generally called, is a US auditing standard that pertains to service organizations. This standard requires the auditors to check the various controls that have been established by the service organizations, across the various organizational and operational functions. The SAS 70 standard mandates the auditors to publish a report at the end of the audit, which not only includes the list of controls established by the organizations but also the methods and the steps undertaken by the auditors to determine the existence of controls. The SAS 70 standard was established in the early 1990s in the United States and has undergone many revisions. The SAS 70 was also adopted by many different countries in the world, completely or with minor regional and local modifications.
Monday, December 26th, 2011
SSAE 16 and Payroll processing companies
Payroll processing companies specialize in providing functional services for payroll operations and also a performing various other payroll related activities, outsourced by their clients. The generalized scope and services provided by the payroll companies are listed below:
Saturday, November 26th, 2011
SSAE 16 Preparation Tips
SSAE 16 is the current standard of control for service organizations and is an enhancement of the SAS 70 standards. Service organizations will need to ascertain the necessity and relevance of the SSAE 16 assessment for their processes and then define the scope of the assessment. Organizations will initially need to have a comprehensive discussion with the relevant stakeholders of the processes, along with the internal auditing department, to understand the requirements and also to assess and determine the process controls that are in existence and those that need to be implemented. Based on this determination, the scope can be defined and published. The scope must be detailed – specifying the list of controls, timelines, operational process and the methods of ratification/verification of the controls.
Thursday, November 24th, 2011
Difference between SSAE 16 type 1 and type 2 reports
SSAE 16 type 1 report: This report is aimed at understanding and validating the service organizations systems/controls and also the implementation of the listed controls. For this engagement, the management of the organization will need to prepare detailed descriptions of all the existing controls of the organization; the method of designing the controls; methodology of the implementation of the controls. They will also need to specify the timelines of creation and implementation of the controls within the organization.
The organization will also need to prepare a written assertion that details the scope of SSAE type 1 reports, the date on which the test needs to be conducted and also the relevance and sanctity of the information provided in the description. The organizations will need to submit both the assertion and descriptions to the auditor for the engagement. The job of the auditor for type 1 reports is only to:
- Test the accuracy and information provided in the description and assertion
- Test the suitability and the implementation of the controls on the date of the test
The test is done on a basis of one sample examination per control. After the test phase is complete, the auditors will then need to publish detailed report on the results of the sample control tests and also an objective opinion of the overall information provided in the description. Effectively, the SSAE 16 type 1 report establishes the existence of control systems in the service organization and their implementation on the specified date of the test. This report can be of interest to existing and potential clients of the service organizations, as the report confirms the credibility of the service organization.
Tuesday, November 22nd, 2011
SSAE 16 – The Benefits
Statement on Standards for Attestation Engagements no. 16, or SSAE16 for short, is the attest standard for CPA firms, set by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). According to SSAE 16, Auditing methods have embraced a globally recognizable and accountable method. It also calls for a declaration of how the system works, with a written assertion for the same. The written assertion should follow a specific format and include few essential clauses and is to be drafted by the management.
Wednesday, November 16th, 2011
Information about AT section 101
AT section 101 is the list of codified standards that acts as guidelines for the reporting of SOC 2. The service Organization Control 2 (SOC 2) reports are those that pertain to internal controls that fall outside the purview of financial reporting. AT section 101 is codified in accordance to the guidelines of AICPA and is also subject to periodic reviews and amendments, just like all other sections and guidelines. SOC 2 attest engagements can be independent or a part of a larger engagement which includes other reporting controls but reporting procedure for this engagement will have to be done separately and as per the section standards. AT section 101 engagements will follow the standard initiation procedure where the entities employ the services of professional practitioners by giving out assertions or by completing all relevant standard formalities.
Monday, November 14th, 2011
Components of a System:
- Infrastructure – The physical hardware components of a system
- Software – The programs and operating software of a system
- People – The personnel involved in the operation and use of a system
- Procedures – The automated and manual procedures involved in the operation of a system
- Data – The information used and supported by a system
Sunday, November 6th, 2011
I have written this article to assist those who have not had any experience with the SAS 70 or SSAE 16 Audit. So I am going to give you some tips on items that can be done right away and other items that can be done a bit later. The following information can be used as a checklist that will assist you in preparing for the SSAE 16 audit. A more robust version will be available for companies that have a bit more experience with the SAS 70 or SSAE 16 process.