SlideShare a Scribd company logo
1 of 18
Download to read offline
The Anatomy and
Need for an
SSAE 16 Audit
This e-book is designed to help business professionals
understand when they may need an SSAE 16 report and
key factors about the engagement.
We invite you to share your questions and comments
with us on Twitter, on our blog or through email at
SSAE16@auditwerx.com
2
Why Does Your Business Need an SSAE 16 Audit Report?
An SSAE 16 Audit is for Your Clients
Meeting Your Clients’ Needs Through an SSAE 16 Audit
History of SSAE 16 SOC 1 and SAS 70
Sarbanes-Oxley and the Public Company Accounting Oversight Board
SSAE 16 AUDIT REPORT
What is Examined in an SSAE 16 Audit?
Your First and Subsequent Audits
How Long is an SSAE 16 Report Relevant?
How Long Does it Take to Complete an SSAE 16 Audit Report?
Three Primary Factors in Completing an SSAE 16 Report
Cost Factors of an SSAE 16 Report
Type of Business
Number of Locations of the Business
Number of Employees
Number of Applications
Your Deadline
The 5 Stage Process to Producing an SSAE 16 Report
About Auditwerx
3
TABLE of
CONTENTS
auditwerx.com
6
9
10
12
14
16
18
Your clients expect it.
Your compliance process will be streamlined and
ready when a client or prospect requests an SSAE
16 Audit Report.
You will communicate to clients and prospects
your compliance with standards and industry best
practices.
You create a level playing field with your
competitors.
You can be a leader in your industry.
3
WHY DOES YOUR BUSINESS NEED an SSAE 16 AUDIT REPORT?
auditwerx.com
1
2
3
4
5
4
auditwerx.com
A Statements on Standards for Attestation Engagements (SSAE) 16 audit enhances your
business. The audit engagement process provides you with a better understanding of the
design and operating effectiveness of your internal control environment. It also provides
you with verification of how your company is performing compared to industry standards
and best practices. This information enables you to improve your transaction processing
and controls when necessary, and positions your company to be more competitive.
The audit report is itself a powerful tool. It provides evidence of compliance with the
American Institute of Certified Public Accountants (AICPA) standard on control
environments—SSAE 16, and it sends a message to your clients and prospects that you
take controls and security seriously.
TALK
to an
AUDITOR
888-893-5536
auditwerx.com
HISTORY of SSAE 16 SOC 1 and SAS 70
5
auditwerx.com
The SSAE 16 Audit is for Your Clients
A successful SSAE 16 Service Organization Controls (SOC) 1 audit results in the creation of
a final report called the Independent Service Auditors Report on Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is
the report you share with your clients to provide them with the auditor’s opinion about
your policies, procedures, and controls in the areas of IT, data security, and transaction
processing.
Meeting Your Clients’ Needs
A client normally requests an SSAE 16 SOC 1 report from you in order to meet their
Sarbanes Oxley Act (SOX), section 404 requirements. Clients may request an SSAE 16
report at any time or for other reasons, but SOX 404 is by far the biggest trigger for these
audit engagements.
"Our company has completed
SAS 70 audits the last several
years with other companies.
We experienced a seamless
transition to Auditwerx and
the new SSAE 16 audit
standard. Auditwerx
organization and leadership
through the auditing process
made our recent audit our
most pleasant to date.“
Matt W., V.P. Operations
Resource Benefits Administration Firm
HISTORY of SSAE 16 SOC 1 and SAS 70
6
auditwerx.com
The American Institute of Certified Public Accountants first issued SAS 70, the Statement
on Auditing Standards, number 70 in 1992. The purpose of a SAS 70 audit was to enable
service organizations to assure their public company clients that their data was safe.
Auditors analyzed and assessed internal controls within service organizations to
determine if the policies and procedures were sufficient to secure and handle data.
HISTORY of SSAE 16 SOC 1 and SAS 70
Sarbanes-Oxley and the
Public Company Accounting Oversight Board
In 2002, in response to several high profile instances of fraud in public companies, the
U.S. Congress created the Sarbanes-Oxley Act to create a new set of standards for
financial activity in public companies. As part of the new regulations and standards
regarding financial reporting, the Public Company Accounting Oversight Board (PCAOB)
drafted section 404.
7
auditwerx.com
Section 404 of Sarbanes-Oxley requires publicly traded companies to test internal
controls that impact data relevant to their financial reporting to ensure transparency and
data integrity. Because the internal controls of a service organization can directly impact
the financial reporting requirements of a company with which they do business, service
organizations that serve public companies are subject to the same level of scrutiny of
their internal controls.
In June 2011, SAS 70 was replaced by SSAE 16, the Statements on Standards for
Attestation Engagements, number 16, designed to enable independent auditors to
provide an opinion on the design and effectiveness of internal controls of service
organizations. An SSAE 16 audit examination results in The Report on Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting that the
organization can share with its clients and their auditors.
HISTORY of SSAE 16 SOC 1 and SAS 70
8
auditwerx.com
SSAE 16 AUDIT REPORT
The goal of the SSAE 16 audit examination report is to enable a service organization to
assure its public company clients that their internal controls are designed properly and
do what they say they do. The SSAE 16 audit examination has an independent, third-
party auditor provide an opinion on the design and effectiveness of the internal controls
with a direct impact on another company’s financial statements.
A service company working indirectly with the public company involved may still need an
SSAE 16 report. For example, an outsourcer that does invoicing for the online business of
a public company, due to their involvement in financial transactions, may require an SSAE
16 SOC 1 report to assure their client of the effectiveness of the design and
implementation of their controls and enable them to comply with regulations.
If the invoicing company, in turn, houses all their data with a data warehousing company,
because that data includes the financial data of the original retailer, the invoicing
company will need an SSAE 16 SOC 1 report from the data warehousing company as well.
The control environment of that public company can only be 100% in compliance with
SOX 404 and other applicable regulations if every step in the process and every entity
involved undergoes the same examination process.
"In 2012 when the new SSAE16
requirements were newly
implemented, we began looking
for an agency to perform the
SSAE16 SOC1 audit for us.
...Auditwerx did an exceptional
job to not interrupt business
while thoroughly auditing
everything we do. The week of
their site visit was intense and
pleasant and our work
continued as normal. I highly
recommend Auditwerx and
welcome any inquiries about
the organization.“
Shae H., Director of Business Development
Receivables Management Company
HISTORY of SSAE 16 SOC 1 and SAS 70
9
auditwerx.com
The transactions that are examined for an SSAE 16 report are those that are central to
your business. For example, if you run an employee benefits business the audit
examination could include escrow accounts and processing payments. If you run a tax
processing business, the examination could include reviewing how you collect and
disburse money and make tax payments.
In an SSAE 16 report, we look at several elements of each transaction:
WHAT is EXAMINED in an SSAE 16 AUDIT?
• Initiation of the process
• Authorization of the process
• Recording & logging of the process
• Security measures that are part of the process
• Accuracy of the process
• Timeliness of conducting the process
10
auditwerx.com
Once you have gathered all the supporting information for the first audit examination,
you can create a framework for the subsequent period’s future documentation and
storage of the new period specific information to be better prepared for the audit in
subsequent years.
YOUR FIRST and SUBSEQUENT AUDITS
How Long is an SSAE 16 Report Relevant?
An SSAE 16 SOC 1 report is a backward-looking report. That means you choose a point in
time and work backward for a period of three to twelve months to review internal
controls. This report is good for one full year from the date of the report. That holds true
whether the report was issued for a 3-, 6-, or 12-month review period.
The report is finalized and dated when the auditor has reviewed and tested all included
controls and received all the necessary documentation from you, the client. Because the
report date is critical to the verification of internal controls for your clients and for
reporting purposes, we recommend that companies begin the engagement 60 to 90 days
before it is needed. This ensures we have time to conduct the audit properly, issue the
report to meet your deadline, and enjoy a smooth process.
11
auditwerx.com
Because many companies request an SSAE 16 report from their contracted service
companies to coincide with the end of their own fiscal year, the request may come at an
awkward time for your organization. For example, a client may request the report for a
December 31 close of their fiscal year. If your company has operations that are also
impacted by the end of the year, you may not be able to work on an SSAE 16 audit at the
same time.
If it is more convenient for your company to conduct the SSAE 16 audit engagement
earlier than your clients need the report, an audit gap letter can be issued to extend
coverage to meet your client’s requirements. An audit gap letter extends coverage of the
audit for up to 90 days of operations after the report date. This allows us to conduct the
SSAE 16 audit earlier in the year as in the following example:
The date of your current SSAE 16 report is September 30, 2012 but your
client’s fiscal year ends December 31, 2012 and they need a report to
cover all of 2012. Within six months of the original report date (through
March 30, 2013), the auditor can issue an audit gap letter to extend the
validity of your SSAE 16 report to December 31, 2012 to satisfy the
client’s request.
“This was our first time to go
through this type of audit.
We were carefully guided
through each step of the
process. The entire audit
went very smoothly.”
Kelly T., Project Manager
Employee Benefits Administration
YOUR FIRST and SUBSEQUENT AUDITS
12
auditwerx.com
In general, the audit examination process takes about six to eight weeks, though there
are many factors that can affect how long an actual engagement will take. It is possible to
expedite an SSAE 16 audit examination and complete the report in as few as four weeks
if a company can provide full-time support of several staff members.
HOW LONG DOES it TAKE to COMPLETE an
SSAE 16 AUDIT REPORT?
Three Primary Factors in Completing an SSAE 16 Report
Do you have documented policies and procedures?
If your organization has policies and procedures regarding internal controls in place, the
audit process can be quicker than if you have to create new procedures or
documentation for the purposes of the engagement. One advantage of working with an
experienced assurance audit provider is the auditor’s comprehensive system of
templates for any possible policy or procedure. Clients are often able to adjust a pre-
composed policy template to match their unique operations to avoid writing a new policy
or procedure from scratch.
13
auditwerx.com
How many controls or procedures does the audit include?
The number and complexity of the controls to be included in the audit affect the length
of the process. All policies and procedures that impact the financial reporting of your
clients must be included. For one organization there may be one or two relevant
procedures while there may be dozens that come into play for another.
How complex are your policies and procedures?
A relatively straightforward procedure like an employee termination procedure may be a
one- or two-page checklist. A more complex policy like an IT security policy may be a 30-
to 40-page document.
Resources Dedicated to the Audit Examination
In addition to these three factors that determine the scope of an audit engagement, your
company’s ability to dedicate resources to the project will affect the time needed to
complete the examination. To conduct an SSAE 16 SOC 1 audit examination, an auditor
must work closely with someone in your organization. An SSAE 16 audit examination
typically requires participation and input from the areas of IT, operations, human
resources, finance, and support operations. The amount of time needed with each team
member will depend on the service your organization provides and the number and
types of controls we need to review and test.
"We engaged Auditwerx to
assist us in completion of our
first SSAE16 audit. We found
the Auditwerx staff to be
extremely knowledgeable,
efficient and overwhelmingly
patient and helpful during the
entire process. The ease by
which they navigated us
through our audit was nothing
short of amazing! I would
highly recommend them!"
Jodie D., COO
Third Party Benefits Administration Firm
HOW LONG does it TAKE to COMPLETE
an SSAE 16 AUDIT EPORT?
14
auditwerx.com
The financial cost of an SSAE 16 report varies depending on many factors. Let’s look at
the five primary factors that affect the cost of an SSAE 16 report.
1. TYPE of BUSINESS
Some service businesses are more complex than others and have more internal controls
or are impacted by regulatory requirements.
2. NUMBER of LOCATIONS of the BUSINESS
Auditors are required to review the main office of a business as well as offices or facilities
that house computer servers involved in the service the organization provides. That may
involve traveling domestically or internationally.
COST FACTORS of an SSAE 16 REPORT
3. NUMBER of EMPLOYEES
To ensure a proper separation of duties, auditors are required to report on
everyone who comes in contact with the transactions and anyone with access
to the data or the money.
15
auditwerx.com
4. NUMBER of APPLICATIONS
Auditors are required to report on the internal controls for each type of transaction that
impact your clients’ financial information. The auditors test a sample of all transactions
conducted in one year. The more applications you have that are subject to internal
control requirements, the more to test.
5. YOUR DEADLINE
The typical time required to produce an SSAE 16 SOC 1 report is six to eight weeks. It is
possible to produce a report more quickly but an expedited process will be more costly
than a report delivered in a standard timeframe.
For a U.S. or Canada-based service organization with 1 or 2 locations, 25 to 200
employees, and 1 to 3 standard services for their customers, standardized pricing
generally applies.
COST FACTORS of an SSAE 16 REPORT
16
auditwerx.com
Auditwerx has developed a five-stage process to help
clients estimate how long their SSAE 16 SOC 1
examination will take. This process includes planning,
preparation, on-site review, audit report draft, and audit
report completion. But this is not a cookie cutter service.
Once the planning stage is complete, we discuss with our
client the scope of the examination, the expected time
frame, and any unique requirements. We work closely
with clients to create a thorough SSAE 16 report that
communicates to your clients that your operations are
secure.
The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT
17
auditwerx.com
With our extensive experience, we have streamlined the SSAE 16 SOC 1 report process
for our clients. We take pride in our ability to serve clients efficiently while also getting to
know them as individuals and businesses. Each SSAE 16 SOC 1 audit engagement we
perform proceeds smoothly through each phase of the engagement. Our efficiency is
grounded in the fact that we do not use contractors. Rather, we have the ability to
provide the same audit team from start to finish on all phases of an engagement. This
allows us to understand our client’s operations thoroughly, not just audit them from a
distance. At the end of the day, providing value added guidance and recommendations to
our clients by going beyond the basics of the audit is what’s most important to us at
Auditwerx.
“Initially, we were concerned
about the magnitude of
undergoing a SSAE 16 SOC 1
audit…Auditwerx has a
seamless audit process; it
was so easy to upload the
required documents to their
website, track our progress,
receive feedback and input
and stay on top of the
process. We couldn’t be
more pleased with the audit
and with the overall end
product. Our SSAE 16 SOC 1
report was amazing.”
Scott B., Certified Public Accountant
Retirement Plan Administration
The 5 STAGE PROCESS to PRODUCING
an SSAE 16 REPORT
18
auditwerx.com
Auditwerx is a trusted partner for service companies that require third-party Certified
Public Accountant (CPA) or Chartered Accountant (CA) auditor assurance engagements to
meet regulatory or customer compliance needs. We are a one-stop resource for U.S.,
Canadian, and International service organization controls examinations.
Our five (5) step process for SSAE, CSAE and ISAE audit engagements along with our
dedication to details is why our CPAs and IT experts have been delivering quality audit
services to a broad array of service organizations exclusively since 2005. To learn more
about the audit process or to discuss arranging an audit engagement, get in touch with us
at 888-893-5536 or email us at SSAE16@auditwerx.com
ABOUT AUDITWERX
An International CPA and CA
Audit Firm
Auditwerx - United States
3000 Bayport Dr, Suite 480
Tampa, FL 33607
Office: 888-893-5536
Fax: 727-499-6867
Auditwerx - Canada
1 Yonge Street, Suite 1801
Toronto, ON M5E 1W7
Office: 866-320-1859
Our vision is to be
recognized as the most
trusted provider of audit
compliance services, our
industry’s employer of
choice, and our future
shareholders’ investment of
choice.

More Related Content

Recently uploaded

Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]Commonwealth
 
Stock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdfStock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdfMichael Silva
 
Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...
Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...
Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...Matthews Bantsijang
 
Solution manual for Intermediate Accounting, 11th Edition by David Spiceland...
Solution manual for  Intermediate Accounting, 11th Edition by David Spiceland...Solution manual for  Intermediate Accounting, 11th Edition by David Spiceland...
Solution manual for Intermediate Accounting, 11th Edition by David Spiceland...mwangimwangi222
 
Stock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdfStock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdfMichael Silva
 
Contracts with Interdependent Preferences
Contracts with Interdependent PreferencesContracts with Interdependent Preferences
Contracts with Interdependent PreferencesGRAPE
 
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.KumarJayaraman3
 
2024.03 Strategic Resources Presentation
2024.03 Strategic Resources Presentation2024.03 Strategic Resources Presentation
2024.03 Strategic Resources PresentationAdnet Communications
 
The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...Antonis Zairis
 
India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023SkillCircle
 
Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707harshan90
 
Buy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptxBuy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptxPrecize Formely Leadoff
 
Introduction to Entrepreneurship and Characteristics of an Entrepreneur
Introduction to Entrepreneurship and Characteristics of an EntrepreneurIntroduction to Entrepreneurship and Characteristics of an Entrepreneur
Introduction to Entrepreneurship and Characteristics of an Entrepreneurabcisahunter
 
LIC PRIVATISATION its a bane or boon.pptx
LIC PRIVATISATION its a bane or boon.pptxLIC PRIVATISATION its a bane or boon.pptx
LIC PRIVATISATION its a bane or boon.pptxsonamyadav7097
 
Taipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for TourismTaipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for TourismBrian Lin
 
The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?Stephen Perrenod
 
Lundin Gold March 2024 Corporate Presentation - PDAC v1.pdf
Lundin Gold March 2024 Corporate Presentation - PDAC v1.pdfLundin Gold March 2024 Corporate Presentation - PDAC v1.pdf
Lundin Gold March 2024 Corporate Presentation - PDAC v1.pdfAdnet Communications
 
MARKET FAILURE SITUATION IN THE ECONOMY.
MARKET FAILURE SITUATION IN THE ECONOMY.MARKET FAILURE SITUATION IN THE ECONOMY.
MARKET FAILURE SITUATION IN THE ECONOMY.Arifa Saeed
 
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGeckoRWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGeckoCoinGecko
 

Recently uploaded (20)

Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]
 
Stock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdfStock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdf
 
Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...
Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...
Remembering my Totem _Unity is Strength_ growing in Bophuthatswana_Matthews B...
 
Solution manual for Intermediate Accounting, 11th Edition by David Spiceland...
Solution manual for  Intermediate Accounting, 11th Edition by David Spiceland...Solution manual for  Intermediate Accounting, 11th Edition by David Spiceland...
Solution manual for Intermediate Accounting, 11th Edition by David Spiceland...
 
Stock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdfStock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdf
 
Contracts with Interdependent Preferences
Contracts with Interdependent PreferencesContracts with Interdependent Preferences
Contracts with Interdependent Preferences
 
Effects & Policies Of Bank Consolidation
Effects & Policies Of Bank ConsolidationEffects & Policies Of Bank Consolidation
Effects & Policies Of Bank Consolidation
 
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
 
2024.03 Strategic Resources Presentation
2024.03 Strategic Resources Presentation2024.03 Strategic Resources Presentation
2024.03 Strategic Resources Presentation
 
The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...
 
India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023
 
Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707
 
Buy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptxBuy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptx
 
Introduction to Entrepreneurship and Characteristics of an Entrepreneur
Introduction to Entrepreneurship and Characteristics of an EntrepreneurIntroduction to Entrepreneurship and Characteristics of an Entrepreneur
Introduction to Entrepreneurship and Characteristics of an Entrepreneur
 
LIC PRIVATISATION its a bane or boon.pptx
LIC PRIVATISATION its a bane or boon.pptxLIC PRIVATISATION its a bane or boon.pptx
LIC PRIVATISATION its a bane or boon.pptx
 
Taipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for TourismTaipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
 
The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?
 
Lundin Gold March 2024 Corporate Presentation - PDAC v1.pdf
Lundin Gold March 2024 Corporate Presentation - PDAC v1.pdfLundin Gold March 2024 Corporate Presentation - PDAC v1.pdf
Lundin Gold March 2024 Corporate Presentation - PDAC v1.pdf
 
MARKET FAILURE SITUATION IN THE ECONOMY.
MARKET FAILURE SITUATION IN THE ECONOMY.MARKET FAILURE SITUATION IN THE ECONOMY.
MARKET FAILURE SITUATION IN THE ECONOMY.
 
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGeckoRWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
 

Featured

5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming LanguageSimplilearn
 
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...Palo Alto Software
 
9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation9 Tips for a Work-free Vacation
9 Tips for a Work-free VacationWeekdone.com
 
I Rock Therefore I Am. 20 Legendary Quotes from Prince
I Rock Therefore I Am. 20 Legendary Quotes from PrinceI Rock Therefore I Am. 20 Legendary Quotes from Prince
I Rock Therefore I Am. 20 Legendary Quotes from PrinceEmpowered Presentations
 

Featured (20)

5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
 
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
The Pixar Way: 37 Quotes on Developing and Maintaining a Creative Company (fr...
 
9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation9 Tips for a Work-free Vacation
9 Tips for a Work-free Vacation
 
I Rock Therefore I Am. 20 Legendary Quotes from Prince
I Rock Therefore I Am. 20 Legendary Quotes from PrinceI Rock Therefore I Am. 20 Legendary Quotes from Prince
I Rock Therefore I Am. 20 Legendary Quotes from Prince
 

The Anatomy and Need for an SSAE 16 Audit

  • 1. The Anatomy and Need for an SSAE 16 Audit This e-book is designed to help business professionals understand when they may need an SSAE 16 report and key factors about the engagement. We invite you to share your questions and comments with us on Twitter, on our blog or through email at SSAE16@auditwerx.com
  • 2. 2 Why Does Your Business Need an SSAE 16 Audit Report? An SSAE 16 Audit is for Your Clients Meeting Your Clients’ Needs Through an SSAE 16 Audit History of SSAE 16 SOC 1 and SAS 70 Sarbanes-Oxley and the Public Company Accounting Oversight Board SSAE 16 AUDIT REPORT What is Examined in an SSAE 16 Audit? Your First and Subsequent Audits How Long is an SSAE 16 Report Relevant? How Long Does it Take to Complete an SSAE 16 Audit Report? Three Primary Factors in Completing an SSAE 16 Report Cost Factors of an SSAE 16 Report Type of Business Number of Locations of the Business Number of Employees Number of Applications Your Deadline The 5 Stage Process to Producing an SSAE 16 Report About Auditwerx 3 TABLE of CONTENTS auditwerx.com 6 9 10 12 14 16 18
  • 3. Your clients expect it. Your compliance process will be streamlined and ready when a client or prospect requests an SSAE 16 Audit Report. You will communicate to clients and prospects your compliance with standards and industry best practices. You create a level playing field with your competitors. You can be a leader in your industry. 3 WHY DOES YOUR BUSINESS NEED an SSAE 16 AUDIT REPORT? auditwerx.com 1 2 3 4 5
  • 4. 4 auditwerx.com A Statements on Standards for Attestation Engagements (SSAE) 16 audit enhances your business. The audit engagement process provides you with a better understanding of the design and operating effectiveness of your internal control environment. It also provides you with verification of how your company is performing compared to industry standards and best practices. This information enables you to improve your transaction processing and controls when necessary, and positions your company to be more competitive. The audit report is itself a powerful tool. It provides evidence of compliance with the American Institute of Certified Public Accountants (AICPA) standard on control environments—SSAE 16, and it sends a message to your clients and prospects that you take controls and security seriously. TALK to an AUDITOR 888-893-5536 auditwerx.com HISTORY of SSAE 16 SOC 1 and SAS 70
  • 5. 5 auditwerx.com The SSAE 16 Audit is for Your Clients A successful SSAE 16 Service Organization Controls (SOC) 1 audit results in the creation of a final report called the Independent Service Auditors Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is the report you share with your clients to provide them with the auditor’s opinion about your policies, procedures, and controls in the areas of IT, data security, and transaction processing. Meeting Your Clients’ Needs A client normally requests an SSAE 16 SOC 1 report from you in order to meet their Sarbanes Oxley Act (SOX), section 404 requirements. Clients may request an SSAE 16 report at any time or for other reasons, but SOX 404 is by far the biggest trigger for these audit engagements. "Our company has completed SAS 70 audits the last several years with other companies. We experienced a seamless transition to Auditwerx and the new SSAE 16 audit standard. Auditwerx organization and leadership through the auditing process made our recent audit our most pleasant to date.“ Matt W., V.P. Operations Resource Benefits Administration Firm HISTORY of SSAE 16 SOC 1 and SAS 70
  • 6. 6 auditwerx.com The American Institute of Certified Public Accountants first issued SAS 70, the Statement on Auditing Standards, number 70 in 1992. The purpose of a SAS 70 audit was to enable service organizations to assure their public company clients that their data was safe. Auditors analyzed and assessed internal controls within service organizations to determine if the policies and procedures were sufficient to secure and handle data. HISTORY of SSAE 16 SOC 1 and SAS 70 Sarbanes-Oxley and the Public Company Accounting Oversight Board In 2002, in response to several high profile instances of fraud in public companies, the U.S. Congress created the Sarbanes-Oxley Act to create a new set of standards for financial activity in public companies. As part of the new regulations and standards regarding financial reporting, the Public Company Accounting Oversight Board (PCAOB) drafted section 404.
  • 7. 7 auditwerx.com Section 404 of Sarbanes-Oxley requires publicly traded companies to test internal controls that impact data relevant to their financial reporting to ensure transparency and data integrity. Because the internal controls of a service organization can directly impact the financial reporting requirements of a company with which they do business, service organizations that serve public companies are subject to the same level of scrutiny of their internal controls. In June 2011, SAS 70 was replaced by SSAE 16, the Statements on Standards for Attestation Engagements, number 16, designed to enable independent auditors to provide an opinion on the design and effectiveness of internal controls of service organizations. An SSAE 16 audit examination results in The Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting that the organization can share with its clients and their auditors. HISTORY of SSAE 16 SOC 1 and SAS 70
  • 8. 8 auditwerx.com SSAE 16 AUDIT REPORT The goal of the SSAE 16 audit examination report is to enable a service organization to assure its public company clients that their internal controls are designed properly and do what they say they do. The SSAE 16 audit examination has an independent, third- party auditor provide an opinion on the design and effectiveness of the internal controls with a direct impact on another company’s financial statements. A service company working indirectly with the public company involved may still need an SSAE 16 report. For example, an outsourcer that does invoicing for the online business of a public company, due to their involvement in financial transactions, may require an SSAE 16 SOC 1 report to assure their client of the effectiveness of the design and implementation of their controls and enable them to comply with regulations. If the invoicing company, in turn, houses all their data with a data warehousing company, because that data includes the financial data of the original retailer, the invoicing company will need an SSAE 16 SOC 1 report from the data warehousing company as well. The control environment of that public company can only be 100% in compliance with SOX 404 and other applicable regulations if every step in the process and every entity involved undergoes the same examination process. "In 2012 when the new SSAE16 requirements were newly implemented, we began looking for an agency to perform the SSAE16 SOC1 audit for us. ...Auditwerx did an exceptional job to not interrupt business while thoroughly auditing everything we do. The week of their site visit was intense and pleasant and our work continued as normal. I highly recommend Auditwerx and welcome any inquiries about the organization.“ Shae H., Director of Business Development Receivables Management Company HISTORY of SSAE 16 SOC 1 and SAS 70
  • 9. 9 auditwerx.com The transactions that are examined for an SSAE 16 report are those that are central to your business. For example, if you run an employee benefits business the audit examination could include escrow accounts and processing payments. If you run a tax processing business, the examination could include reviewing how you collect and disburse money and make tax payments. In an SSAE 16 report, we look at several elements of each transaction: WHAT is EXAMINED in an SSAE 16 AUDIT? • Initiation of the process • Authorization of the process • Recording & logging of the process • Security measures that are part of the process • Accuracy of the process • Timeliness of conducting the process
  • 10. 10 auditwerx.com Once you have gathered all the supporting information for the first audit examination, you can create a framework for the subsequent period’s future documentation and storage of the new period specific information to be better prepared for the audit in subsequent years. YOUR FIRST and SUBSEQUENT AUDITS How Long is an SSAE 16 Report Relevant? An SSAE 16 SOC 1 report is a backward-looking report. That means you choose a point in time and work backward for a period of three to twelve months to review internal controls. This report is good for one full year from the date of the report. That holds true whether the report was issued for a 3-, 6-, or 12-month review period. The report is finalized and dated when the auditor has reviewed and tested all included controls and received all the necessary documentation from you, the client. Because the report date is critical to the verification of internal controls for your clients and for reporting purposes, we recommend that companies begin the engagement 60 to 90 days before it is needed. This ensures we have time to conduct the audit properly, issue the report to meet your deadline, and enjoy a smooth process.
  • 11. 11 auditwerx.com Because many companies request an SSAE 16 report from their contracted service companies to coincide with the end of their own fiscal year, the request may come at an awkward time for your organization. For example, a client may request the report for a December 31 close of their fiscal year. If your company has operations that are also impacted by the end of the year, you may not be able to work on an SSAE 16 audit at the same time. If it is more convenient for your company to conduct the SSAE 16 audit engagement earlier than your clients need the report, an audit gap letter can be issued to extend coverage to meet your client’s requirements. An audit gap letter extends coverage of the audit for up to 90 days of operations after the report date. This allows us to conduct the SSAE 16 audit earlier in the year as in the following example: The date of your current SSAE 16 report is September 30, 2012 but your client’s fiscal year ends December 31, 2012 and they need a report to cover all of 2012. Within six months of the original report date (through March 30, 2013), the auditor can issue an audit gap letter to extend the validity of your SSAE 16 report to December 31, 2012 to satisfy the client’s request. “This was our first time to go through this type of audit. We were carefully guided through each step of the process. The entire audit went very smoothly.” Kelly T., Project Manager Employee Benefits Administration YOUR FIRST and SUBSEQUENT AUDITS
  • 12. 12 auditwerx.com In general, the audit examination process takes about six to eight weeks, though there are many factors that can affect how long an actual engagement will take. It is possible to expedite an SSAE 16 audit examination and complete the report in as few as four weeks if a company can provide full-time support of several staff members. HOW LONG DOES it TAKE to COMPLETE an SSAE 16 AUDIT REPORT? Three Primary Factors in Completing an SSAE 16 Report Do you have documented policies and procedures? If your organization has policies and procedures regarding internal controls in place, the audit process can be quicker than if you have to create new procedures or documentation for the purposes of the engagement. One advantage of working with an experienced assurance audit provider is the auditor’s comprehensive system of templates for any possible policy or procedure. Clients are often able to adjust a pre- composed policy template to match their unique operations to avoid writing a new policy or procedure from scratch.
  • 13. 13 auditwerx.com How many controls or procedures does the audit include? The number and complexity of the controls to be included in the audit affect the length of the process. All policies and procedures that impact the financial reporting of your clients must be included. For one organization there may be one or two relevant procedures while there may be dozens that come into play for another. How complex are your policies and procedures? A relatively straightforward procedure like an employee termination procedure may be a one- or two-page checklist. A more complex policy like an IT security policy may be a 30- to 40-page document. Resources Dedicated to the Audit Examination In addition to these three factors that determine the scope of an audit engagement, your company’s ability to dedicate resources to the project will affect the time needed to complete the examination. To conduct an SSAE 16 SOC 1 audit examination, an auditor must work closely with someone in your organization. An SSAE 16 audit examination typically requires participation and input from the areas of IT, operations, human resources, finance, and support operations. The amount of time needed with each team member will depend on the service your organization provides and the number and types of controls we need to review and test. "We engaged Auditwerx to assist us in completion of our first SSAE16 audit. We found the Auditwerx staff to be extremely knowledgeable, efficient and overwhelmingly patient and helpful during the entire process. The ease by which they navigated us through our audit was nothing short of amazing! I would highly recommend them!" Jodie D., COO Third Party Benefits Administration Firm HOW LONG does it TAKE to COMPLETE an SSAE 16 AUDIT EPORT?
  • 14. 14 auditwerx.com The financial cost of an SSAE 16 report varies depending on many factors. Let’s look at the five primary factors that affect the cost of an SSAE 16 report. 1. TYPE of BUSINESS Some service businesses are more complex than others and have more internal controls or are impacted by regulatory requirements. 2. NUMBER of LOCATIONS of the BUSINESS Auditors are required to review the main office of a business as well as offices or facilities that house computer servers involved in the service the organization provides. That may involve traveling domestically or internationally. COST FACTORS of an SSAE 16 REPORT 3. NUMBER of EMPLOYEES To ensure a proper separation of duties, auditors are required to report on everyone who comes in contact with the transactions and anyone with access to the data or the money.
  • 15. 15 auditwerx.com 4. NUMBER of APPLICATIONS Auditors are required to report on the internal controls for each type of transaction that impact your clients’ financial information. The auditors test a sample of all transactions conducted in one year. The more applications you have that are subject to internal control requirements, the more to test. 5. YOUR DEADLINE The typical time required to produce an SSAE 16 SOC 1 report is six to eight weeks. It is possible to produce a report more quickly but an expedited process will be more costly than a report delivered in a standard timeframe. For a U.S. or Canada-based service organization with 1 or 2 locations, 25 to 200 employees, and 1 to 3 standard services for their customers, standardized pricing generally applies. COST FACTORS of an SSAE 16 REPORT
  • 16. 16 auditwerx.com Auditwerx has developed a five-stage process to help clients estimate how long their SSAE 16 SOC 1 examination will take. This process includes planning, preparation, on-site review, audit report draft, and audit report completion. But this is not a cookie cutter service. Once the planning stage is complete, we discuss with our client the scope of the examination, the expected time frame, and any unique requirements. We work closely with clients to create a thorough SSAE 16 report that communicates to your clients that your operations are secure. The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT
  • 17. 17 auditwerx.com With our extensive experience, we have streamlined the SSAE 16 SOC 1 report process for our clients. We take pride in our ability to serve clients efficiently while also getting to know them as individuals and businesses. Each SSAE 16 SOC 1 audit engagement we perform proceeds smoothly through each phase of the engagement. Our efficiency is grounded in the fact that we do not use contractors. Rather, we have the ability to provide the same audit team from start to finish on all phases of an engagement. This allows us to understand our client’s operations thoroughly, not just audit them from a distance. At the end of the day, providing value added guidance and recommendations to our clients by going beyond the basics of the audit is what’s most important to us at Auditwerx. “Initially, we were concerned about the magnitude of undergoing a SSAE 16 SOC 1 audit…Auditwerx has a seamless audit process; it was so easy to upload the required documents to their website, track our progress, receive feedback and input and stay on top of the process. We couldn’t be more pleased with the audit and with the overall end product. Our SSAE 16 SOC 1 report was amazing.” Scott B., Certified Public Accountant Retirement Plan Administration The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT
  • 18. 18 auditwerx.com Auditwerx is a trusted partner for service companies that require third-party Certified Public Accountant (CPA) or Chartered Accountant (CA) auditor assurance engagements to meet regulatory or customer compliance needs. We are a one-stop resource for U.S., Canadian, and International service organization controls examinations. Our five (5) step process for SSAE, CSAE and ISAE audit engagements along with our dedication to details is why our CPAs and IT experts have been delivering quality audit services to a broad array of service organizations exclusively since 2005. To learn more about the audit process or to discuss arranging an audit engagement, get in touch with us at 888-893-5536 or email us at SSAE16@auditwerx.com ABOUT AUDITWERX An International CPA and CA Audit Firm Auditwerx - United States 3000 Bayport Dr, Suite 480 Tampa, FL 33607 Office: 888-893-5536 Fax: 727-499-6867 Auditwerx - Canada 1 Yonge Street, Suite 1801 Toronto, ON M5E 1W7 Office: 866-320-1859 Our vision is to be recognized as the most trusted provider of audit compliance services, our industry’s employer of choice, and our future shareholders’ investment of choice.