SSAE 16 / SSAE 18 / SOC 1 Basics
The SSAE 16 standard is a report that is intended for customers which you have a responsibility for controls over their financial reporting processes. The report typically tests transaction processing integrity controls, computer security controls, program change management controls, IT operations controls and entity level controls of your organization. For your report, you will define (in consultation with your customers) a set of “Control Objectives” within each of the main testing areas that are tailored to how you conduct business. Then, within each Control Objective, you will identify key controls that work together to achieve the desired Control Objective. Typically, businesses receive audits and updated reports on an annual basis.
In some cases, customers will ask you for a SAS70 report as that was once the go-to standard. The SSAE 16 standard superseded it on June 15th, 2011 and SAS 70 reports are no longer allowed to be issued. You may also see the SSAE 16 report called the SOC 1, which is also accurate as they refer to the same thing. Your international customers may ask about ISAE 3402 reports which are very similar to SSAE 16 reports, with the main difference being that it is for an international audience and a few variations in the auditor’s opinion letter.
Starting May 1, 2017, the SSAE 18 standard will replace all SSAE 16 reports. Most requirements will remain the same for this transition, however, there is additional guidance and requirements that focus on maintaining a Vendor Management Program, performing periodic Risk Assessments of the business and additional focus on Complementary Subservice Organization Controls.
Types of businesses where SSAE 16 / SOC 1 reports are typically the most appropriate are as follows:
- Debt Collectors
- Payroll Processors
- SaaS Providers
- Claims Processing Providers
- Transaction Processing Organizations
Our professionals have years of experience in both performing SSAE 16 and SOC audits as well as years of experience in helping companies get prepared to go through the audit process. We are able to walk you through the entire process from start to finish to help achieve results that are representative of how you do business.
We are able to assist through each step of the audit process:
- Conduct a pre-assessment to identify areas that may need improvement prior to being audited
- Assist you with interpreting your customers’ assurance needs and determine what (if any) reports would be appropriate to pursue
- Perform the audit and arrange for the delivery of the final report from a licensed CPA firm
The type of report that you need is dictated by how your customers rely upon the services that you provide to them. While there are some clear cut requirements for each type of report, often times you can select the report that works best for a majority of your customers.
Get a Quote!