SSAE 16 Preparation
PSC provides a Statement on Standards for Attestation Engagements No. 16 (SSAE 16) readiness assessment consisting of examining the service organization's description of controls to determine fairness; suitability of design and operational effectiveness.
About SSAE 16
Statement on Standards for Attestation Engagements (SSAE) No. 16 (SSAE 16) is an additional enhancement to the Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70. It is designed to bring US based companies up to international standards (namely ISAE 3402) for service organization reporting standards. SSAE became applicable on July 15, 2011.
The standard is issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). The SSAE defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report.
Service organizations are entities that provide outsourcing services that either process transactions or provide services that impact or are part of the control environment of their customers (relying party).
There are two types of SSAE 16 reports. Type 1 report includes selection of the "fairness of presentation" and "suitability of design" criteria. A Type 2 report includes selection of the "fairness of presentation", "suitability of design" and "operating effectiveness" criteria. The selected criteria are included in the management assertion section of the SSAE 16 report.
PSC will provide a SSAE 16 readiness assessment consisting of examining the service organization's description of controls to determine whether:
- It presents fairly, in all material respects, the relevant aspects of the service organizations controls that had been placed in operation as of a specified date.
- The controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.
- The controls are operating effectively and this operation supports the management attestation that controls are in place within the description of the service organization.
This process is normally achieved in 3 phases:
Phase 1 – Scoping and Client Readiness Evaluation
This phase is critical in the preparation of the client and involves, preparation and review for fairness with management of the "Description of the service organizations systems", as of a specific date and covering a defined period; understanding of existing controls and discussion and review with management; documentation of controls Preparation of new controls to support the management attestation of control effectiveness.
Phase 2 – Implementation of Recommendations
PSC will assist with advice and review of implementation architecture including the Client's implementation of policies, procedures and controls; Client management review of project status and Client management certification of completion of remediation tasks.
Phase 3 – Baseline Testing
PSC will perform testing and evaluation of selected controls to gain sufficient confidence that Client meets controls objectives and that controls are operating effectively.
Please contact us for more information