The SSAE 16 standard states that management's monitoring activities may provide evidence regarding the design and operating effectiveness of controls, thus allowing management of the service organization to use "monitoring" as a key element in supporting management's assertion.
What is the "monitoring" concept?
"Monitoring" is a process whereby the effectiveness of internal controls are assessed by activities that are generally built into the daily operational activities of service organizations, along with separate evaluations, if necessary. Monitoring activities can vary widely, ranging on a number of different processes and procedures, such as the following:
- Evaluating one's daily operational activities
- Utilizing internal audit personnel or other similar personnel who are performing a wide-range of procedures throughout various departments of a service organization.
- Automated system checks and balances, such as batch processing, reconciliations, quality assurance checks, system error checks.
- Correspondence with any third-party entities.
- Any additional processes, procedures, and safeguards as necessary.
The Essentials to Performing "Monitoring" Activities for SSAE 16 SOC 1 Compliance
Most service organization successfully undertake monitoring activities via a combination of ongoing daily operational activities, along with separate evaluations. The phrase "separate evaluations", which is used in the final SSAE 16 standard publication, can essentially mean any number of activities outside of a service organization's ongoing daily operational activities.
Common examples of "separate evaluations" may include surprise audits by third party entities, such as clients or government regulatory agencies, due-diligence audits or reports conducted by prospective clients or even one-time or random internal evaluations as needed. In short, there seems to be a wide-variety of activities that could possibly fall under the phrase of "separate evaluations" for the purposes of the SSAE 16 standard.
Additionally, the concept of monitoring for purposes of SSAE 16 includes assessing the effectiveness of one's control environment and taking the necessary action for correcting and remediating any weaknesses or deficiencies found. Monitoring is not a static, one-time event, but a constant effort by all in assessing and improving upon one's system of internal controls within any organization.
Are you Monitoring your Controls for SSAE 16 SOC 1?
To put the concept of monitoring into better perspective, ask yourself what activities does your organization initiate for monitoring and how may these activities provide evidence in ultimately supporting your (i.e., management's) assertion, which is a key deliverable for SSAE 16 reporting. Looking for a competitive, fixed-fee for SSAE 16 and all your SOC 1, 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
Lastly, as described by the Committee of Sponsoring Organizations, (COSO), “monitoring” is defined as the following:
“Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties…”
Turn to the Experts at NDB for SSAE 16 SOC 1 Assistance
NDB has years of experience assisting service organizations with SSAE 16 SOC 1 compliance, along with numerous other compliance mandates, such as SOC 2, SOC 3, PCI DSS, HIPAA, HITECH, HITRUST, GLBA, FISMA, DFARS, Regulation AB reporting, and more. We’ve been hard at work in the field of regulatory compliance for years, offering superior services and fixed-fee pricing for all our services. Contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him directly at firstname.lastname@example.org today.