So, you have a current customer or client asking whether you have completed a SOC examination. Now you may have some basic questions such as the following:
- What is an SSAE 16 audit report?
A Type II SSAE 16 report is an independent report on the design and operating effectiveness of key controls at a service organization. A Type I SSAE 16 report is an independent report on the design of key controls in place at a service organization. SSAE 16s were formerly called SAS 70s.
- What is a service organization?
Service organizations are entities that provide outsourcing activities that are relevant to the control environments at user organizations. Examples of service organizations include payroll processors, hosted data centers, application service providers, and credit processing organizations.
- If I don’t get an SSAE 16 audit, will I lose this customer?
You will need to determine how important the customer or client is that is requesting an SSAE 16 report. Consider requesting a proposal from an audit firm that specializes in performing SSAE 16s and weigh the cost of the report against the potential of losing a key customer or client.
Top 5 Reasons to get an SSAE 16 / SAS 70 Report
Following are five reasons to consider having an SSAE 16 audit performed:
- Provide assurance to user organizations
A Type II SSAE 16 provides assurance to user organizations that the control objectives relating to the services provided by their service organization are suitably designed and operating effectively throughout an examination period. The report includes an opinion from an independent auditor on the design and operating effectiveness of relevant internal controls at a service provider.
- Improve controls and business processes
SSAE 16s can help identify security weaknesses and gaps in internal controls. If issues are identified during the examination, a service organization can improve their controls and/or business processes by remediating any identified issues.
- Reduce audit time commitments and create efficiency in the audit process
An SSAE 16 can reduce or eliminate the need to have multiple user organization audits by providing user organizations with the information their auditors require in a generally accepted format.
- Receive an independent assessment
Receive an independent assessment of your internal controls and tests of their effectiveness.
- Aid in business development
An SSAE 16 may be provided to prospective customers or clients to give information about a service organization’s internal control environment and provide assurance that internal controls are working as designed.
Demonstrating SSAE 16 / SAS 70 Compliance
Once your service organization has gone through an SSAE 16 examination, you may provide the report to any customer or client that requests it. Audit firms that perform SSAE 16 examinations are usually also willing to provide a letter that states that that you have completed an SSAE 16 examination. This letter can be provided to prospective clients evidencing you have been through an SSAE 16 examination when the full report does not need to be provided.