Home  »  SSAE 16 Fundamentals  »  SSAE 16 Audit Checklist | Part I

SSAE 16 Audit Checklist | Part I | 10 Step Process for Auditing Success

Service organizations would highly benefit from having a comprehensive SSAE 16 audit checklist – one that essentially assists in the preparation of planning for a Type 1 or Type 2 assessment by a CPA firm. As such, take note of the following SSAE 16 audit checklist, provided by NDB Accountants & Consultants (NDB), a nationally recognized PCAOB CPA firm.

1.    Find a competent and proven CPA firm that specializes in SOC reporting.  Many firms have entered into the regulatory compliance arena – and that’s a good thing – as competition results in numerous qualified professionals, along with pricing stability for SSAE 16 Type 1 and Type 2 reporting.  Choose a firm with years of experience performing third-party audits on control environments, and you should be fine.  Start by getting a fixed-fee quote from NDB Accountants and Consultants (NDB) by contacting Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 or emailing him at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

2.    Gain a strong understanding of SSAE 16.  Learning about the “who, what, when, where, and why” of SSAE 16 ultimately allows you to ask thoughtful, intelligent questions to CPA firms proposing, while providing useful information to senior management within one’s organization. A great place to learn essentially everything you need to know about SSAE 16 audit requirements is the official SSAE 16 Resource Guide, developed exclusively by NDB Accountants & Consultants.  Learn about the background of SSAE 16, types of reporting options, planning and scope considerations, along with literally dozens of other critical topics – it’s all available – and free – at the official SSAE 16 Resource Guide.

3.    Determine engagement scope.  A very important part of planning for an SSAE 16 Type 1 or Type 2 assessment is unearthing the essential boundaries of the engagement itself – specifically – the following:
(1). Are there any prior reporting assessments that were conducted (i.e., a recent SAS 70 audit or a prior year SSAE 16 report) that can assist in properly scoping the engagement?
(2). what control objectives and related controls will be used in forming the basis for SSAE 16 reporting and do they meet the stated requirements set forth by user entities for reporting purposes?
(3). Have all relevant and material subservice organizations been identified, and if so, will the “carve-out method” or the “inclusive method” be used regarding these entities?
(4). as for physical locations, how many are to be included within the scope of an SSAE 16 engagement? (5). what is the relevant testing period that will be used for SSAE 16 reporting? (6). what personnel at the service organization itself will be involved in facilitating the entire SSAE 16 audit process? These are high level questions and statements that can essentially be further refined for building one’s own SSAE 16 audit checklist.

4.    Conduct an internal SSAE 16 Readiness Assessment. Once the scope of the audit has been clearly identified and agreed upon, it’s time to examine the respective control environments for purposes of identifying any possible areas of remediation, which can include any number of issues, such as the following:

•    Lack of documented and formalized policies and procedures for many pertaining to the SSAE 16 assessment itself, particularly regarding information security documentation.
•    Weak enforcement of procedural based activities, such as opening formalized change request tickets, trouble tickets, etc. for any relevant issues.
•    Lack of audit evidence itself, as many systems simply fail to keep logging and audit trails for acceptable minimum periods.
•    Poorly provisioned systems that can often lead to network vulnerabilities and other exploits.

5.    Remediate areas of concern. It’s perfectly acceptable actually “remediate” areas that require remediation – after all – it’s why organizations conduct SSAE 16 Readiness Assessments prior to the actual audit itself.  The key is to truly remediate the findings, correct the deficiencies – ultimately improving one’s control environment.  What good is remediation if the areas of concern are flagged, yet little or no attention is given to them for correcting the problems?  Not only would receiving an “unqualified” (i.e., clean) opinion for the SSAE 16 be a real challenge, one’s control environment would still be exhibit material deficiencies.  It’s a no win situation, so remediate!

Read Part II of the SSAE 16 audit checklist whitepaper.

Interested in receiving a competitive-fixed fee for all your SOC 1 SSAE 16 reporting needs? Then contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext 706 today, or email him at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

ssae16 audit checklist

Author: Charles Denyer