SSAE 16

A user organization and a service organization can be subject to similar regulatory requirements depending on the industry in which they operate. For example, both organizations may need to be compliant with some of the following regulatory requirements: Basal II, GLBA, FACTA, PCI, ISO 2700 and HIPPA. In the past, a SAS 70 review was often inappropriately used to report on controls related to these regulatory requirements that are clearly unrelated to internal control over financial reporting. Because of this confusion and lack of clarity in scope, the nature of a SSAE 16 review has been re-defined. The AICPA has issued further guidance on providing assurance on controls that are unrelated to financial reporting. This guidance provides requirements that both user entity and service organization management need to be aware of and plan accordingly. ERM thoroughly understands the new requirements detailed in the standards and is available to assist both user entity and service organization management prepare for this transition. ERM can also perform SSAE 16 and Attestation SOC 2 and 3 engagements.

An engagement conducted under SSAE 16 will now result in a Service Organization Control (SOC) 1 report. A SOC 1 engagement focuses on internal controls over financial reporting and is primarily used by user entity external auditors. An engagement that provides assurance on controls at a service organization other than those relevant to user entities’ internal controls over financial reporting is now performed as an Attestation engagement and is specifically called a SOC 2 engagement. Controls assessed are typically those relevant to security, availability, processing integrity, confidentiality or privacy. And finally, a SOC 3 engagement is similar to a SOC 2 engagement; however a SOC 3 report does not contain the service auditor’s description of the system, nor any tests and results.

User Entity Management Concerns

With the benefits of outsourcing comes the transference of risk. Organizations that choose to outsource operations to a service organization inherit the service organization’s risks. User organizations must effectively manage relationships with vendors that provide outsourced services by increasing their due diligence efforts as they relate to current and prospective vendor relationships.
User entity management needs to ensure and feel comfortable that their service organization’s system has been updated for the new requirements. ERM can help you determine whether:

• Risk is sufficiently addressed. Does the service organization’s control environment include a risk assessment process, information and communication systems and control and monitoring activities? The control environment is critical since it can have a pervasive impact as a whole as it relates to whether controls were suitably designed and operating effectively;
• Your organization needs to develop and/or implement new complementary controls due to changes in the service organization’s description of their system;
• There are changes to the mix or percentage of operations handled by subservice organizations working with your service provider and whether the service organization’s description adequately addresses this through the inclusive or carve out method. Often, relationships with subservice providers are not fully understood and can be minimized unintentionally in the service organization’s report.

User entity management must also develop more detailed assertions for SOC 1, 2 and 3 type engagements. This assertion must fully address the design and operating effectives of the description of the system (including controls and control objectives) for the new criteria.

Service Organization Management Concerns

Numerous issues related to the service organization’s description of the system have also arisen with the implementation of the new standards. ERM can help service organization management ensure that:

• The scope of the description of the system is appropriate and complies with applicable regulatory requirements. The information system controls described in the description will differ between SOC 1 and SOC 2 engagements;
• Control objectives and associated controls address new requirements and criteria defined in the standards. The scope of a SOC 2 engagement addresses controls that are unrelated to financial reporting and often include those over resources that support or provide security, availability, processing integrity, confidentiality or privacy;
• The AICPA’s Trust Services Principles Criteria have been properly integrated into the description of the system. This criteria is necessary for a service auditor to perform a SOC 2 or SOC 3 engagement; and
• Risk assessment and management activities are updated and/or expanded as necessary.

ERM is here to assist you will all of your service organization assurance needs. We can help your transition into the requirements of the new standards, whatever they may be.