What are user (also known as client or customer) control considerations and why are they in most SAS 70 / SSAE 16 audit reports?
User control considerations or UCCs in the audit jargon are simply controls that reside at the service organization. These controls are usually delineated in the SAS 70 / SSAE 16 reports within their own report sub-section and/or next to the control objectives they relate. UCCs together with the control activities at the service organization work in conjunction to achieve the related control objective.
The following is an example of a UCC: User organizations should have controls in place to restrict access to the secure web portal that is used to transmit data to the service organization to only authorized individuals. Controls should include notifying the service organization when an individual’s access is no longer required or if authentication credentials have been compromised.
Most SAS 70 / SSAE 16 audit reports have UCCs since they are integral to the design and operating effectiveness of the control environment. The UCCs are usually tested by the user auditor in conjunction with the performance of the financial statement audit of the user organization. If a SAS 70 / SSAE 16 audit report does not have any UCCs this may be an indication of an incomplete report and therefore lead to inadequate financial statement audits at user organizations. If in doubt, talk to the service auditor. In most cases, they should be more than willing to answer questions on user control considerations.