While the SSAE 16 standard requires management of the service organization to provide a description of its "system" along with also producing a written assertion, there are also a number of other requirements and responsibilities to be undertaken for SSAE 16 reporting.
Though much has been written and discussed regarding the description of the "system" and the written assertion, it's important to also gain an understanding of the following key issues regarding the SSAE 16 standard:
- Monitoring of Controls" concept
- "The Identification of Risks"
- "Suitable Criteria" concept
Why? Because these concepts constitute a critical component of the actual service organization's description of its "system" along with the written assertion, both of which management must provide for SSAE 16 reporting.
The SSAE 16 standard allows for management's monitoring activities to provide evidence regarding the design and operating effectiveness of controls; ultimately allowing the service organization to use the concept of "monitoring" as a key principle in support of the written assertion. In simpler terms, "monitoring" is a process for which the effectiveness of internal controls are assessed by activities that are generally built into the day-to-day operations of many service organizations, along with separate evaluations.
A service organization's monitoring activities for purposes of SSAE 16 reporting can include the following:
- Evaluations of daily operations
- Management and supervisory activities
- Internal audit functions
- System checks and balances | Manual checks and balances
- Communication with third party entities
- Additional safeguards, controls, processes, procedures, and oversight activities that assist in monitoring a service organization’s system.
Regarding the SSAE 16 "Identification of Risks" concept, management is essentially responsible for identifying risks that threaten the achievement of the stated control objectives that are found within the description of the "system". In simpler terms, what processes, both formal and informal, does management have in place for identifying risks? Is an annual risk assessment process undertaken every year by the service organization? Does your risk assessment process include a comprehensive analysis of your control environment and the related control objectives that are to be included within the description of the "system"? Do your control objectives adequately address all risks for which your organization seeks to mitigate?
And finally, the SSAE 16 "Suitable Criteria" concept is one that is grounded in the assumption that management of the service organization is responsible for selecting the criteria and its appropriateness. Furthermore, the "suitable criteria" concepts states that the subject matter is to be capable of being evaluated against "criteria" considered suitable for intended users. In simpler terms, the subject matter, which is known as management's description of its "system", is to be evaluated against certain criteria, which are elements that constitute the fairness of the presentation of the service organization's system. Additionally, the suitability of the design of controls (SSAE 16 Type 1) and the operating effectiveness of controls (SSAE 16 Type 2) must also be evaluated against suitable criteria.
What's fundamentally important to note about these three concepts ("Monitoring of Controls", "The Identification of Risks", "Suitability Criteria") is they all play a critical role in helping management of the service organization in developing and providing their description of its "system" along with the written assertion for SSAE 16 reporting. Thus, be advised that management's written assertion will contain specific references to the "criteria" clause.
Looking for a competitive, fixed-fee for SSAE 16 and all your SOC 1, 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
Audit: Charles Denyer