What is an SSAE 16 audit report?
A Type II SSAE 16 report is an independent report on the design and operating effectiveness of key controls at a service organization. SSAE 16s were formerly called SAS 70s.

What is a service organization?
Service organizations are entities that provide outsourcing activities that are relevant to the control environments at user organizations. Examples of service organizations include payroll processors, hosted data centers, application service providers, and credit processing organizations.

If I don’t get an SSAE 16 audit, will I lose this customer?
You will need to determine how important the customer or client is that is requesting an SSAE 16 report. Consider requesting a proposal from an audit firm that specializes in performing SSAE 16s and weigh the cost of the report against the potential of losing a key customer or client.

Following are five reasons to consider having an SSAE 16 audit performed:

Top 5 Reasons to get an SSAE 16 / f. SAS 70 Report

1.  Provide assurance to user organizations – A Type II SSAE 16 provides assurance to user organizations that the control objectives relating to the services provided by their service organization are suitably designed and operating effectively throughout the examination period. The report includes an opinion from an independent auditor on the design and operating effectiveness of relevant internal controls at a service provider.

2.  Improve controls and business processes – SSAE 16s can help identify security weaknesses and gaps in internal control. If issues are identified during the examination, a service organization can improve their controls and/or business processes by remediating any identified issues.

3.  Reduce audit time commitments and create efficiency in the audit process – An SSAE 16 can reduce or eliminate the need to have multiple user organization audits by providing user organizations with the information their auditors require in a generally accepted format.

4.  Receive an independent assessment - Receive an independent assessment of your internal controls and tests of their effectiveness.

5.  Aid in business development – An SSAE 16 may be provided to prospective customers or clients to give information about a service organization’s internal control environment and provide assurance that internal controls are working as designed.

Demonstrating SSAE 16 / SAS 70 Compliance

Once your service organization has gone through an SSAE 16 examination, you may provide the report to any customer or client that requests it. Audit firms that perform SSAE 16 examinations are usually also willing to provide a letter that states that that you have completed an SSAE 16 examination. This letter can be provided to prospective clients evidencing you have been through an SSAE 16 examination when the full report does not need to be provided.

In 2009, the City of Los Angeles faced a $400 million deficit. As a result of the deficit, the City looked at many potential cost cutting measures including cloud computing. The City eventually decided to go with Google Apps, Google’s cloud-based email, calendar, and document management system. While some project stakeholders were skeptical of data residing outside of the City’s control, Google was able to meet or exceed the City’s contractual requirements and provide their cloud services in a secure, reliable, and scalable manner. In developing a business case to move to the cloud, LA’s Chief Technology Officer estimated direct savings of $5.5 million over the first three years of the contract.

While embracing cloud technology does not make sense to everyone—the LA Police Department recently decided not to go with Google Apps—there are many potential benefits to cloud computing that should not be overlooked. Potential customers of the cloud should make a well-informed decision as to whether they should use the cloud and to determine which cloud provider to go with. Ultimately, a company is responsible for its data wherever it resides.

As your company assesses the pros and cons of using cloud providers, consider asking the following questions:

• Where will your data reside? A fair question to ask potential cloud providers is where your data will reside. If they can’t give a direct answer—or if their answer is one you are uncomfortable with—think twice before doing business with them.
• Will your data be segregated from other client’s data? Virtualization technologies such as VLANs and VRFs allow the logical separation of client data on a network. Ensure your data will not be commingled with other client data and that other clients of the cloud provider may not access your data.
• Who will have access to your data? Determine who, if anyone, at the cloud provider will have access to your systems and data. A fair question when vetting providers is to ask what controls they have in place for hiring new employees. If your company performs background checks for new hires, it makes sense to ensure that employees at your cloud provider with physical access to your hardware and/or data have had background checks as well.
• Will your data be encrypted at the cloud provider? If your data is highly sensitive or protected by regulations such as HIPAA, your data may be required to be encrypted when it is at rest as well as during transmission. Determine whether your cloud provider offers or has the ability to provide data encryption.
• Will your data be available 100% of the time? Determine what the uptime and availability metrics are for a potential cloud provider and ensure they meet your company’s needs. Determining whether the provider has environmental controls such as UPS systems and generators in place will help ensure that you can access your data in the event of power failures and outages.
• Do they have an independent assessment of the controls they have in place? Assessments should be reviewed by companies to confirm whether certain necessary controls important to the company are in place or not.

While these questions are by no means exhaustive of all of the questions that should be asked of potential cloud providers for your company, they do provide a starting point. Asking some basic questions can help decision makers gain a better understanding of what cloud providers do to mitigate the risks associated with managing your systems and data.

Common uses of data analytics:

• Customer resource management (CRM) – Analytics can help companies monitor and understand customer actions and create more targeted advertising and services.
• Business intelligence – Business analytics can be used to provide current and historical views of business operations as well as providing predictions about future operations. For example, analytics can be used to search through large volumes of business data such as sales data and identify faster moving products. Businesses may then make decisions based on the data.
• Fraud detection and analysis – Analytics can be used to search through data in financial systems of record such as accounts payable systems searching for questionable transactions that could be fraudulent.

Data analytics for IT auditing

Data analysis can also be used as an effective auditing tool. In the past, auditors have used sampling methods to test a portion of a population and extrapolate the results of the sample over the whole population. Data analytics can be used to test full populations without the need to extrapolate sampling results. Rather than selecting 25 or even 50 samples from a population of 10,000 records, data analytics allow an auditor to test all 10,000 records and provide an exact percentage of the identified errors rather than extrapolating an expected number of errors over the population being tested.

Examples of IT audit analytics

• Test physical and logical access logs against approved access lists to ensure that no unauthorized individuals accessed physical locations or systems.
• Check physical and logical access lists against terminated and current employee listings to identify unauthorized users.
• Identify new hires or employee transfers that have received access to specific systems or specific roles within systems (e.g., write access) to pick samples for testing that are all valid as opposed to sampling a new hire or transfer that may not have received elevated access to the specific system being audited.

Since the CPA firm is not opining on those controls within the gap period for the purposes of this gap or bridge letter, the CPA firm cannot issue the letter.  However, management of the service organization can and should—in most cases—issue such a letter.  Attached is an example of such a letter that service organizations may find useful.

Ensure the right people have the right access

Employees are constantly turning over and changing roles. It is important to have a process in place to help ensure that as employees turn over or change roles, their access remains commensurate with their job responsibilities. New access requests should be approved by an appropriate level of management prior to access being granted. Access should also be removed or disabled for terminated employees in a timely manner. In addition to having a process to add and remove access, it is a good idea to perform periodic access reviews to ensure access remains appropriate over time.

Require and use strong passwords

Systems that authenticate using Microsoft Active Directory should be configured to systematically require the use of complex passwords. This can be accomplished by setting the group policy object’s password policy to require the use of complex passwords. If your application does not use Active Directory to authenticate, determine if your application can be configured to require password complexity and configure it to do so. If you are not able to systematically enforce password complexity, you should educate users on the importance of using complex passwords and changing them periodically. The following are some best practices for password requirements:

• Have a minimum of eight characters
• Contain a combination of lowercase and uppercase alphanumeric characters and symbols
• Should not contain any part of the user name that is associated with the password
• Be changed every 60 – 90 days
• Should not be the same as any of the user’s previous 10 passwords

Ensure patching and antivirus levels are up to date

It is important to ensure that applications and operating systems are up to date on patch and antivirus levels to help mitigate the risk of known security vulnerabilities. Ensure that your company has a process for periodically scanning applications, operating systems, and hardware to ensure that patching and antivirus levels are up to date. Tools such as Microsoft WSUS (Windows Server Update Services) can be used to manage the distribution of patches to computers. Tools such as McAfee’s ePolicy Orchestrator (ePO) can be used to periodically scan and update antivirus definitions. In conjunction with tools used to scan applications and infrastructure, have a process to follow up on repeated failed update attempts to ensure they are eventually applied successfully.

While these tips are by no means inclusive of all of the security precautions your company should be taking, they are a good start to helping ensure the security of your systems and infrastructure. Don’t get caught neglecting the basics.

SOC 1 Report

These reports are intended to meet the needs of entities that use service organizations (user entities) and the CPAs who audit the user entities’ financial statements (user auditors) when evaluating the effect of controls at the service organization on the user entities’ financial statements.  User auditors use these reports to plan and perform audits of the user entities’ financial statements.  SOC 1 engagements are performed under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801), and the AICPA Guide Service Organization’s Applying SSAE No. 16, Reporting on Controls at a Service Organization.  In other words, if the service organization plays a role in their clients’ financials (including hosting systems, such as Oracle or SAP financials), then a SOC 1 audit report is the correct choice.

SOC 2 Report

These reports are intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems that the service organization uses to process users’ data or the confidentiality or privacy of the information processed by these systems.  Examples of stakeholders who may need these reports are management or those charged with governance of the user entities and service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.  These engagements are performed under AT section 101, Attest Engagements (AICPA, Professional Standards), and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.  Simply put, every service organization that does not fall into the SOC 1 criteria should obtain a SOC 2 audit report.

So what should a service or user organization do?

Service organizations are now in the unforeseen position of receiving requests for both types of reports.  Since a service organization may have clients (i.e., user organizations) that meet the criteria for both reports, it is inevitable that a service organization will have to obtain both types of reports.  For example, this is becoming a more common situation with data center companies, though it is not unique to them.  Service and user organizations should simply discuss which report is needed while understanding that the content of a SOC 1 or a SOC 2 report is often as closely related as the names of the reports themselves.

Am I using a trusted service organization?  Ask whether the service organization has undergone an SSAE 16/SOC 1 (formerly SAS 70) examination.  These third-party examinations are performed by independent auditors who examine the design and operating effectiveness of internal controls that support information security, transaction processing, reporting, service availability, and other functions at these service organizations.  Executives should ask service organizations whether they have undergone such an examination as part of their due diligence procedures.

Have I considered the value and risk to the information that I am outsourcing to the service organization?  Although a user organization can outsource certain functions to a service organization, management of the user organization cannot abdicate responsibility.  SSAE 16 reports can assist user organizations with their evaluation of the value and risk of outsourcing certain activities.  The internal controls tested as part of a SSAE 16 examination are required to be described in detail.  This report helps the user organization understand their risk profile and the anticipated value from outsourcing.

Have I considered how knowledge of the business processes would be retained should I wish to switch back from outsourcing?  Fear of losing internal knowledge when outsourcing certain activities is often dismissed when the service organization has a SSAE 16 report.  The reason is simple: the people, systems, data,  processes, and supporting controls are usually described in sufficient detail within a SSAE 16 report so to enable user organizations to switch back from outsourcing should the need arise.  Companies need not fear as internal processes can be rebuilt using the SSAE 16 report as a tool in the event they need to switch back to in-sourcing.

Do I have a detailed list of controls based on cloud security, operational, and business risks to determine how the service organization complies with them?  This is an example of one more area where a SSAE 16 report excels.  Internal controls specific to the services the service organization is providing are described in detail within the SSAE 16 report.  This is true regardless of whether the internal controls are based on security, operational, or otherwise.  This enables companies to understand the control environment at the service organization as well as the controls they themselves would be responsible for (i.e., user control considerations).

Does my service organization meet the regulatory or compliance requirements needed by my organization?  SSAE 16 reports are designed to meet the testing and reporting requirements associated with many regulations, such as the Sarbanes-Oxley Act (also known as SOX) requirements.  The reports cover internal controls related to systems that support financial reporting.  These reports are accepted and used by public companies and their auditors all over the world.

How do I audit or evaluate controls outsourced to a service organization?  Simply request the SSAE 16 report and evaluate the contents.  This is easily the most efficient and comprehensive way to perform these due diligence procedures.  User organizations should place reliance on the competence and independence of the auditing firm that has been engaged to report on the service organization’s internal controls.  Other methods of evaluation may lack in scope, depth, and be cost and time prohibitive.

User organizations should let these questions be a guide when considering cloud offerings by service organizations.

Critical Areas and Common Red Flags

The following are suggestions for reviewing audit reports from vendors:

• Accounting Firm:  The name of the accounting firm is located in section I. Check with the firm’s state licensing board to confirm they are a licensed CPA firm.  Sadly, a surprising number are non-CPA firms, which in most states, including Colorado, is illegal.  Colorado and New York license verification.
• Management’s Assertion:  Now that SAS 70 has been replaced by SSAE 16, Management is required to include their written assertion in the report stating the report’s accuracy.  Already, SSAE 16 reports are turning up with this assertion missing.  If it’s missing, a conversation with the auditor is warranted.
• Location: Vendors often have multiple locations, which is to be expected in the global economy.  Make sure the report and audit testing covers the locations in which the vendor is performing services for your company.  If it is not obvious, ask the vendor to clarify.  A vendor passing off narrow scope audit reports is more common than you might think.  Vendors do it to save costs, auditors agree to obtain work, but the public suffers.
• Report Dates:  More than a few vendors try to pass off old reports as current reports. Make sure the vendor provides a current report.
• Processes, People, & Systems:  The processes as well as the people and systems that support the processes should be adequately described in the report.  Make sure there is sufficient detail so you can understand what the vendor is doing and what they are not doing.  If a key process (eg, information security) is not described in the report, ask the vendor about it.
• User Control Considerations: User control considerations are simply controls that reside at the service organization.  Most audit reports have them.  Make sure your company considers these carefully.
• Extent of Testing:  Since SAS 70/SSAE 16 are attestation engagements; auditors are required to perform audit procedures beyond inquiry (ie, asking questions) and observation.  The auditors are required to perform a significant part of the examination through inspection and where necessary, re-performance procedures.  In the results of tests—usually Section III—review the language used to describe the tests to see if it meets the criteria just described.