Control objectives, according to the SSAE 16 publication, "Reporting on Controls at a Service Organization", are the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively mitigate". In simpler terms, SSAE 16 control objectives are a series of statements put forth by an organization that address risks, for which these risks are to be effectively mitigated with supporting processes, procedures, policies, and related activities that are in place within the organization's control environment. For example, a common expression of a control objective is as follows:
Controls provide reasonable assurance that critical network devices are operating as designed, administered by qualified I.T. personnel, and securely hardened and provisioned to protect the organization's network infrastructure from external vulnerabilities.
In this example, the aim or purpose of the control objective is to address the risk of network vulnerabilities, and to provide sufficient information as to what elements are in place to mitigate (and hopefully eliminate) these very risks. Thus, there could be any number of supporting processes, procedures, policies, and related activities that effectively eliminate these risks, such as having (1). A documented Network Security Policy in place. (2). Quarterly review of firewall rule sets (3). Frequent changing of system administrative passwords, along with many other activities.
Along with understanding the notion of what a control objective is, you'll also need to learn about the relationship between SSAE 16 control objectives and that of the Internal Control over Financial Reporting (ICFR) concept.
Technically speaking, the development of control objectives falls on the shoulders of the service organization as it is your environment for which a CPA firm would be conducting an SSAE 16 assessment against. Even with that said, this process is looked upon as a collaborative effort between the service organization and the CPA firm themselves. You have the knowledge of your control environment and your day-to-day operations, while the CPA firm has the expertise in performing SSAE 16 assessments. In short, the collaborative effort is a win-win.
Additionally, listed are some example control objectives that can be used for SSAE 16 compliance as it relates to the ICFR concept discussed earlier.
- Controls provide reasonable assurance that batch processing transactions for critical financial data for clients are authorized, result in accurate output data, with reconciliation activities undertaken to confirm such accuracy.
- Controls provide reasonable assurance that the service organization's network infrastructure protects all critical client financial data from external threats and vulnerabilities.
- Controls provide reasonable assurance that all necessary reporting activities pertaining to critical financial data are conducted in accurate, timely, and complete manner.
- Controls provide reasonable assurance that automated and manual controls are in place and utilized for initiating transactional procedures relating to critical financial data for clients.
Lastly, if you need assistance with identifying and developing control objectives, your organization may benefit from an SSAE 16 Readiness Assessment, performed by a highly qualified PCAOB CPA firm.