the anatomy and need for an ssae 16 audit
DESCRIPTION
This eBook is designed to help business professionals understand when they may need an SSAE 16 report and key factors about the engagement.TRANSCRIPT
The Anatomy and Need for an
SSAE 16 AuditThis e-book is designed to help business professionals
understand when they may need an SSAE 16 report
and key factors about the engagement.
We invite you to share your questions and comments
with us on Twitter, on our blog or through email at
2
Why Does Your Business Need an SSAE 16 Audit Report? An SSAE 16 Audit is for Your Clients Meeting Your Clients’ Needs Through an SSAE 16 Audit
History of SSAE 16 SOC 1 and SAS 70 Sarbanes-Oxley and the Public Company Accounting Oversight Board SSAE 16 AUDIT REPORT
What is Examined in an SSAE 16 Audit?
Your First and Subsequent Audits How Long is an SSAE 16 Report Relevant?
How Long Does it Take to Complete an SSAE 16 Audit Report? Three Primary Factors in Completing an SSAE 16 Report
Cost Factors of an SSAE 16 Report Type of Business Number of Locations of the Business Number of Employees Number of Applications Your Deadline
The 5 Stage Process to Producing an SSAE 16 Report
About Auditwerx
3
TABLE of CONTENTS
auditwerx.com
6
9
10
12
14
16
18
Your clients expect it.
Your compliance process will be streamlined and ready when a client or prospect requests an SSAE 16 Audit Report.
You will communicate to clients and prospects your compliance with standards and industry best practices.
You create a level playing field with your competitors.
You can be a leader in your industry.
3
WHY DOES YOUR BUSINESS NEED an SSAE 16 AUDIT REPORT?
auditwerx.com
1
2
3
4
5
4auditwerx.com
A Statements on Standards for Attestation Engagements (SSAE) 16 audit enhances your
business. The audit engagement process provides you with a better understanding of the
design and operating effectiveness of your internal control environment. It also provides
you with verification of how your company is performing compared to industry standards
and best practices. This information enables you to improve your transaction processing
and controls when necessary, and positions your company to be more competitive.
The audit report is itself a powerful tool. It provides evidence of compliance with the
American Institute of Certified Public Accountants (AICPA) standard on control
environments—SSAE 16, and it sends a message to your clients and prospects that you
take controls and security seriously.
TALKto an
AUDITOR
888-893-5536auditwerx.com
HISTORY of SSAE 16 SOC 1 and SAS 70
5auditwerx.com
The SSAE 16 Audit is for Your ClientsA successful SSAE 16 Service Organization Controls (SOC) 1 audit results in the creation of
a final report called the Independent Service Auditors Report on Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is
the report you share with your clients to provide them with the auditor’s opinion about
your policies, procedures, and controls in the areas of IT, data security, and transaction
processing.
Meeting Your Clients’ Needs
A client normally requests an SSAE 16 SOC 1 report from you in order to meet their
Sarbanes Oxley Act (SOX), section 404 requirements. Clients may request an SSAE 16
report at any time or for other reasons, but SOX 404 is by far the biggest trigger for these
audit engagements.
"Our company has completed
SAS 70 audits the last several
years with other companies.
We experienced a seamless
transition to Auditwerx and
the new SSAE 16 audit
standard. Auditwerx
organization and leadership
through the auditing process
made our recent audit our
most pleasant to date.“
Matt W., V.P. OperationsResource Benefits Administration Firm
HISTORY of SSAE 16 SOC 1 and SAS 70
6auditwerx.com
The American Institute of Certified Public Accountants first issued SAS 70, the Statement
on Auditing Standards, number 70 in 1992. The purpose of a SAS 70 audit was to enable
service organizations to assure their public company clients that their data was safe.
Auditors analyzed and assessed internal controls within service organizations to
determine if the policies and procedures were sufficient to secure and handle data.
HISTORY of SSAE 16 SOC 1 and SAS 70
Sarbanes-Oxley and the Public Company Accounting Oversight BoardIn 2002, in response to several high profile instances of fraud in public companies, the
U.S. Congress created the Sarbanes-Oxley Act to create a new set of standards for
financial activity in public companies. As part of the new regulations and standards
regarding financial reporting, the Public Company Accounting Oversight Board (PCAOB)
drafted section 404.
7auditwerx.com
Section 404 of Sarbanes-Oxley requires publicly traded companies to test internal
controls that impact data relevant to their financial reporting to ensure transparency and
data integrity. Because the internal controls of a service organization can directly impact
the financial reporting requirements of a company with which they do business, service
organizations that serve public companies are subject to the same level of scrutiny of
their internal controls.
In June 2011, SAS 70 was replaced by SSAE 16, the Statements on Standards for
Attestation Engagements, number 16, designed to enable independent auditors to
provide an opinion on the design and effectiveness of internal controls of service
organizations. An SSAE 16 audit examination results in The Report on Controls at a
Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
that the organization can share with its clients and their auditors.
HISTORY of SSAE 16 SOC 1 and SAS 70
8auditwerx.com
SSAE 16 AUDIT REPORTThe goal of the SSAE 16 audit examination report is to enable a service organization to
assure its public company clients that their internal controls are designed properly and
do what they say they do. The SSAE 16 audit examination has an independent, third-
party auditor provide an opinion on the design and effectiveness of the internal controls
with a direct impact on another company’s financial statements.
A service company working indirectly with the public company involved may still need an
SSAE 16 report. For example, an outsourcer that does invoicing for the online business of
a public company, due to their involvement in financial transactions, may require an SSAE
16 SOC 1 report to assure their client of the effectiveness of the design and
implementation of their controls and enable them to comply with regulations.
If the invoicing company, in turn, houses all their data with a data warehousing company,
because that data includes the financial data of the original retailer, the invoicing
company will need an SSAE 16 SOC 1 report from the data warehousing company as well.
The control environment of that public company can only be 100% in compliance with
SOX 404 and other applicable regulations if every step in the process and every entity
involved undergoes the same examination process.
"In 2012 when the new SSAE16
requirements were newly
implemented, we began looking
for an agency to perform the
SSAE16 SOC1 audit for
us. ...Auditwerx did an
exceptional job to not interrupt
business while thoroughly
auditing everything we do. The
week of their site visit was
intense and pleasant and our
work continued as normal. I
highly recommend Auditwerx
and welcome any inquiries
about the organization.“
Shae H., Director of Business DevelopmentReceivables Management Company
HISTORY of SSAE 16 SOC 1 and SAS 70
9auditwerx.com
The transactions that are examined for an SSAE 16 report are those that are central to
your business. For example, if you run an employee benefits business the audit
examination could include escrow accounts and processing payments. If you run a tax
processing business, the examination could include reviewing how you collect and
disburse money and make tax payments.
In an SSAE 16 report, we look at several elements of each transaction:
WHAT is EXAMINED in an SSAE 16 AUDIT?
• Initiation of the process
• Authorization of the process
• Recording & logging of the process
• Security measures that are part of the process
• Accuracy of the process
• Timeliness of conducting the process
10auditwerx.com
Once you have gathered all the supporting information for the first audit examination,
you can create a framework for the subsequent period’s future documentation and
storage of the new period specific information to be better prepared for the audit in
subsequent years.
YOUR FIRST and SUBSEQUENT AUDITS
How Long is an SSAE 16 Report Relevant?An SSAE 16 SOC 1 report is a backward-looking report. That means you choose a point in
time and work backward for a period of three to twelve months to review internal
controls. This report is good for one full year from the date of the report. That holds true
whether the report was issued for a 3-, 6-, or 12-month review period.
The report is finalized and dated when the auditor has reviewed and tested all included
controls and received all the necessary documentation from you, the client. Because the
report date is critical to the verification of internal controls for your clients and for
reporting purposes, we recommend that companies begin the engagement 60 to 90 days
before it is needed. This ensures we have time to conduct the audit properly, issue the
report to meet your deadline, and enjoy a smooth process.
11auditwerx.com
Because many companies request an SSAE 16 report from their contracted service
companies to coincide with the end of their own fiscal year, the request may come at an
awkward time for your organization. For example, a client may request the report for a
December 31 close of their fiscal year. If your company has operations that are also
impacted by the end of the year, you may not be able to work on an SSAE 16 audit at the
same time.
If it is more convenient for your company to conduct the SSAE 16 audit engagement
earlier than your clients need the report, an audit gap letter can be issued to extend
coverage to meet your client’s requirements. An audit gap letter extends coverage of the
audit for up to 90 days of operations after the report date. This allows us to conduct the
SSAE 16 audit earlier in the year as in the following example:
The date of your current SSAE 16 report is September 30, 2012 but your
client’s fiscal year ends December 31, 2012 and they need a report to
cover all of 2012. Within six months of the original report date (through
March 30, 2013), the auditor can issue an audit gap letter to extend the
validity of your SSAE 16 report to December 31, 2012 to satisfy the
client’s request.
“This was our first time to go
through this type of audit.
We were carefully guided
through each step of the
process. The entire audit
went very smoothly.”
Kelly T., Project ManagerEmployee Benefits Administration
YOUR FIRST and SUBSEQUENT AUDITS
12auditwerx.com
In general, the audit examination process takes about six to eight weeks, though there
are many factors that can affect how long an actual engagement will take. It is possible to
expedite an SSAE 16 audit examination and complete the report in as few as four weeks
if a company can provide full-time support of several staff members.
HOW LONG DOES it TAKE to COMPLETE an SSAE 16 AUDIT REPORT?
Three Primary Factors in Completing an SSAE 16 Report
Do you have documented policies and procedures?
If your organization has policies and procedures regarding internal controls in place, the
audit process can be quicker than if you have to create new procedures or
documentation for the purposes of the engagement. One advantage of working with an
experienced assurance audit provider is the auditor’s comprehensive system of
templates for any possible policy or procedure. Clients are often able to adjust a pre-
composed policy template to match their unique operations to avoid writing a new
policy or procedure from scratch.
13auditwerx.com
How many controls or procedures does the audit include?
The number and complexity of the controls to be included in the audit affect the length
of the process. All policies and procedures that impact the financial reporting of your
clients must be included. For one organization there may be one or two relevant
procedures while there may be dozens that come into play for another.
How complex are your policies and procedures?
A relatively straightforward procedure like an employee termination procedure may be a
one- or two-page checklist. A more complex policy like an IT security policy may be a 30-
to 40-page document.
Resources Dedicated to the Audit ExaminationIn addition to these three factors that determine the scope of an audit engagement, your
company’s ability to dedicate resources to the project will affect the time needed to
complete the examination. To conduct an SSAE 16 SOC 1 audit examination, an auditor
must work closely with someone in your organization. An SSAE 16 audit examination
typically requires participation and input from the areas of IT, operations, human
resources, finance, and support operations. The amount of time needed with each team
member will depend on the service your organization provides and the number and
types of controls we need to review and test.
"We engaged Auditwerx to
assist us in completion of our
first SSAE16 audit. We found
the Auditwerx staff to be
extremely knowledgeable,
efficient and overwhelmingly
patient and helpful during the
entire process. The ease by
which they navigated us
through our audit was nothing
short of amazing! I would
highly recommend them!"
Jodie D., COOThird Party Benefits Administration Firm
HOW LONG does it TAKE to COMPLETE an SSAE 16 AUDIT EPORT?
14auditwerx.com
The financial cost of an SSAE 16 report varies depending on many factors. Let’s look at
the five primary factors that affect the cost of an SSAE 16 report.
1. TYPE of BUSINESSSome service businesses are more complex than others and have more internal controls
or are impacted by regulatory requirements.
2. NUMBER of LOCATIONS of the BUSINESSAuditors are required to review the main office of a business as well as offices or facilities
that house computer servers involved in the service the organization provides. That may
involve traveling domestically or internationally.
COST FACTORS of an SSAE 16 REPORT
3. NUMBER of EMPLOYEESTo ensure a proper separation of duties, auditors are required to report on
everyone who comes in contact with the transactions and anyone with access
to the data or the money.
15auditwerx.com
4. NUMBER of APPLICATIONSAuditors are required to report on the internal controls for each type of transaction that
impact your clients’ financial information. The auditors test a sample of all transactions
conducted in one year. The more applications you have that are subject to internal
control requirements, the more to test.
5. YOUR DEADLINEThe typical time required to produce an SSAE 16 SOC 1 report is six to eight weeks. It is
possible to produce a report more quickly but an expedited process will be more costly
than a report delivered in a standard timeframe.
For a U.S. or Canada-based service organization with 1 or 2 locations, 25 to 200
employees, and 1 to 3 standard services for their customers, standardized pricing
generally applies.
COST FACTORS of an SSAE 16 REPORT
16auditwerx.com
Auditwerx has developed a five-stage process to help
clients estimate how long their SSAE 16 SOC 1
examination will take. This process includes planning,
preparation, on-site review, audit report draft, and audit
report completion. But this is not a cookie cutter service.
Once the planning stage is complete, we discuss with our
client the scope of the examination, the expected time
frame, and any unique requirements. We work closely
with clients to create a thorough SSAE 16 report that
communicates to your clients that your operations are
secure.
The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT
17auditwerx.com
With our extensive experience, we have streamlined the SSAE 16 SOC 1 report process
for our clients. We take pride in our ability to serve clients efficiently while also getting to
know them as individuals and businesses. Each SSAE 16 SOC 1 audit engagement we
perform proceeds smoothly through each phase of the engagement. Our efficiency is
grounded in the fact that we do not use contractors. Rather, we have the ability to
provide the same audit team from start to finish on all phases of an engagement. This
allows us to understand our client’s operations thoroughly, not just audit them from a
distance. At the end of the day, providing value added guidance and recommendations
to our clients by going beyond the basics of the audit is what’s most important to us at
Auditwerx.
“Initially, we were concerned
about the magnitude of
undergoing a SSAE 16 SOC 1
audit…Auditwerx has a
seamless audit process; it
was so easy to upload the
required documents to their
website, track our progress,
receive feedback and input
and stay on top of the
process. We couldn’t be more
pleased with the audit and
with the overall end product.
Our SSAE 16 SOC 1 report
was amazing.”
Scott B., Certified Public AccountantRetirement Plan Administration
The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT
18auditwerx.com
Auditwerx is a trusted partner for service companies that require third-party Certified
Public Accountant (CPA) or Chartered Accountant (CA) auditor assurance engagements to
meet regulatory or customer compliance needs. We are a one-stop resource for U.S.,
Canadian, and International service organization controls examinations.
Our five (5) step process for SSAE, CSAE and ISAE audit engagements along with our
dedication to details is why our CPAs and IT experts have been delivering
quality audit services to a broad array of service organizations exclusively since 2005. To
learn more about the audit process or to discuss arranging an audit engagement, get in
touch with us at 888-893-5536 or email us at [email protected]
ABOUT AUDITWERX
An International CPA and CA Audit Firm
Auditwerx - United States3000 Bayport Dr, Suite 480Tampa, FL 33607Office: 888-893-5536Fax: 727-499-6867
Auditwerx - Canada1 Yonge Street, Suite 1801Toronto, ON M5E 1W7Office: 866-320-1859
Our vision is to be recognized as the most trusted provider of audit compliance services, our industry’s employer of choice, and our future shareholders’ investment ofchoice.