Deconstructing an SSAE 16/SOC 1 (formerly known as SAS 70) Audit Report

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors.  These reports come out once a year, typically in the late Fall.  While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?

Critical Areas and Common Red Flags

The following are suggestions for reviewing audit reports from vendors:

  • Accounting Firm:  The name of the accounting firm is located in section I. Check with the firm’s state licensing board to confirm they are a licensed CPA firm.  Sadly, a surprising number are non-CPA firms, which in most states, including Colorado, is illegal.  Colorado and New York license verification.
  • Management’s Assertion:  Now that SAS 70 has been replaced by SSAE 16, Management is required to include their written assertion in the report stating the report’s accuracy.  Already, SSAE 16 reports are turning up with this assertion missing.  If it’s missing, a conversation with the auditor is warranted.
  • Location: Vendors often have multiple locations, which is to be expected in the global economy.  Make sure the report and audit testing covers the locations in which the vendor is performing services for your company.  If it is not obvious, ask the vendor to clarify.  A vendor passing off narrow scope audit reports is more common than you might think.  Vendors do it to save costs, auditors agree to obtain work, but the public suffers.
  • Report Dates:  More than a few vendors try to pass off old reports as current reports. Make sure the vendor provides a current report.
  • Processes, People, & Systems:  The processes as well as the people and systems that support the processes should be adequately described in the report.  Make sure there is sufficient detail so you can understand what the vendor is doing and what they are not doing.  If a key process (eg, information security) is not described in the report, ask the vendor about it.
  • User Control Considerations: User control considerations are simply controls that reside at the service organization.  Most audit reports have them.  Make sure your company considers these carefully.
  • Extent of Testing:  Since SAS 70/SSAE 16 are attestation engagements; auditors are required to perform audit procedures beyond inquiry (ie, asking questions) and observation.  The auditors are required to perform a significant part of the examination through inspection and where necessary, re-performance procedures.  In the results of tests—usually Section III—review the language used to describe the tests to see if it meets the criteria just described.

Leave a Reply

Your email address will not be published. Required fields are marked *