So, you have a current customer or client asking whether you have completed an SSAE 16 examination. Now you may have some basic questions such as the following:
What is an SSAE 16 audit report?
A Type II SSAE 16 report is an independent report on the design and operating effectiveness of key controls at a service organization. SSAE 16s were formerly called SAS 70s.
What is a service organization?
Service organizations are entities that provide outsourcing activities that are relevant to the control environments at user organizations. Examples of service organizations include payroll processors, hosted data centers, application service providers, and credit processing organizations.
If I don’t get an SSAE 16 audit, will I lose this customer?
You will need to determine how important the customer or client is that is requesting an SSAE 16 report. Consider requesting a proposal from an audit firm that specializes in performing SSAE 16s and weigh the cost of the report against the potential of losing a key customer or client.
Following are five reasons to consider having an SSAE 16 audit performed:
Top 5 Reasons to get an SSAE 16 / f. SAS 70 Report
1. Provide assurance to user organizations – A Type II SSAE 16 provides assurance to user organizations that the control objectives relating to the services provided by their service organization are suitably designed and operating effectively throughout the examination period. The report includes an opinion from an independent auditor on the design and operating effectiveness of relevant internal controls at a service provider.
2. Improve controls and business processes – SSAE 16s can help identify security weaknesses and gaps in internal control. If issues are identified during the examination, a service organization can improve their controls and/or business processes by remediating any identified issues.
3. Reduce audit time commitments and create efficiency in the audit process – An SSAE 16 can reduce or eliminate the need to have multiple user organization audits by providing user organizations with the information their auditors require in a generally accepted format.
4. Receive an independent assessment – Receive an independent assessment of your internal controls and tests of their effectiveness.
5. Aid in business development – An SSAE 16 may be provided to prospective customers or clients to give information about a service organization’s internal control environment and provide assurance that internal controls are working as designed.
Demonstrating SSAE 16 / SAS 70 Compliance
Once your service organization has gone through an SSAE 16 examination, you may provide the report to any customer or client that requests it. Audit firms that perform SSAE 16 examinations are usually also willing to provide a letter that states that that you have completed an SSAE 16 examination. This letter can be provided to prospective clients evidencing you have been through an SSAE 16 examination when the full report does not need to be provided.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.