The SSAE 16 standard has brought about a number of new requirements for service organizations; one in particular being that of providing a description of its "system". The term "system" and its description can carry a number of meanings and may very well be interpreted slightly differently among service organizations having to comply with SSAE 16.
With that said, the term "system" should be looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
Additionally, the description of the service organizations "system" should also identify the period the description relates to along with providing a listing of control objectives. Please keep in mind that according to the SSAE 16 standard, there is not an explicit or strict requirement regarding how the "system" is actually documented and to what extent. Thus, the format, depth, and scope of documenting the "system" will without question vary from one service organization to another.
Even so, service organizations should strive to incorporate a comprehensive discussion of the following components when documenting the description of its "system":
- The services being provided along with the classes of transactions processed.
- The procedures used, from beginning to end, both automated and manual, for the transactions (such as the flow of the transactions and all activities, from initiation to correction of errors, as necessary).
- How the system captures and also addresses significant events and conditions along with the processes and procedures used to prepare and report information as necessary to user entities.
- The control objectives, related controls and user control considerations.
- The service organizations elements of internal control, based on the COSO framework, which consist of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring.
While the AICPA SAS 70 auditing standard called for a description of "controls", the SSAE 16 standard requires a description of its "system". This fundamental difference may force service organizations to revise and enhance their description of its "systems" from previous SAS 70 description of "controls", due in large part to the criteria that was used by management for previous reporting along with the criteria established for SSAE 16.
Careful consultation with an experienced and qualified SSAE 16 auditor will help in assessing your reporting needs.
Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SSAE 16 and to receive a competitive, fixed-fee quote today. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.