I Rock Therefore I Am. 20 Legendary Quotes from Prince
The Anatomy and Need for an SSAE 16 Audit
1. The Anatomy and
Need for an
SSAE 16 Audit
This e-book is designed to help business professionals
understand when they may need an SSAE 16 report and
key factors about the engagement.
We invite you to share your questions and comments
with us on Twitter, on our blog or through email at
SSAE16@auditwerx.com
2. 2
Why Does Your Business Need an SSAE 16 Audit Report?
An SSAE 16 Audit is for Your Clients
Meeting Your Clients’ Needs Through an SSAE 16 Audit
History of SSAE 16 SOC 1 and SAS 70
Sarbanes-Oxley and the Public Company Accounting Oversight Board
SSAE 16 AUDIT REPORT
What is Examined in an SSAE 16 Audit?
Your First and Subsequent Audits
How Long is an SSAE 16 Report Relevant?
How Long Does it Take to Complete an SSAE 16 Audit Report?
Three Primary Factors in Completing an SSAE 16 Report
Cost Factors of an SSAE 16 Report
Type of Business
Number of Locations of the Business
Number of Employees
Number of Applications
Your Deadline
The 5 Stage Process to Producing an SSAE 16 Report
About Auditwerx
3
TABLE of
CONTENTS
auditwerx.com
6
9
10
12
14
16
18
3. Your clients expect it.
Your compliance process will be streamlined and
ready when a client or prospect requests an SSAE
16 Audit Report.
You will communicate to clients and prospects
your compliance with standards and industry best
practices.
You create a level playing field with your
competitors.
You can be a leader in your industry.
3
WHY DOES YOUR BUSINESS NEED an SSAE 16 AUDIT REPORT?
auditwerx.com
1
2
3
4
5
4. 4
auditwerx.com
A Statements on Standards for Attestation Engagements (SSAE) 16 audit enhances your
business. The audit engagement process provides you with a better understanding of the
design and operating effectiveness of your internal control environment. It also provides
you with verification of how your company is performing compared to industry standards
and best practices. This information enables you to improve your transaction processing
and controls when necessary, and positions your company to be more competitive.
The audit report is itself a powerful tool. It provides evidence of compliance with the
American Institute of Certified Public Accountants (AICPA) standard on control
environments—SSAE 16, and it sends a message to your clients and prospects that you
take controls and security seriously.
TALK
to an
AUDITOR
888-893-5536
auditwerx.com
HISTORY of SSAE 16 SOC 1 and SAS 70
5. 5
auditwerx.com
The SSAE 16 Audit is for Your Clients
A successful SSAE 16 Service Organization Controls (SOC) 1 audit results in the creation of
a final report called the Independent Service Auditors Report on Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is
the report you share with your clients to provide them with the auditor’s opinion about
your policies, procedures, and controls in the areas of IT, data security, and transaction
processing.
Meeting Your Clients’ Needs
A client normally requests an SSAE 16 SOC 1 report from you in order to meet their
Sarbanes Oxley Act (SOX), section 404 requirements. Clients may request an SSAE 16
report at any time or for other reasons, but SOX 404 is by far the biggest trigger for these
audit engagements.
"Our company has completed
SAS 70 audits the last several
years with other companies.
We experienced a seamless
transition to Auditwerx and
the new SSAE 16 audit
standard. Auditwerx
organization and leadership
through the auditing process
made our recent audit our
most pleasant to date.“
Matt W., V.P. Operations
Resource Benefits Administration Firm
HISTORY of SSAE 16 SOC 1 and SAS 70
6. 6
auditwerx.com
The American Institute of Certified Public Accountants first issued SAS 70, the Statement
on Auditing Standards, number 70 in 1992. The purpose of a SAS 70 audit was to enable
service organizations to assure their public company clients that their data was safe.
Auditors analyzed and assessed internal controls within service organizations to
determine if the policies and procedures were sufficient to secure and handle data.
HISTORY of SSAE 16 SOC 1 and SAS 70
Sarbanes-Oxley and the
Public Company Accounting Oversight Board
In 2002, in response to several high profile instances of fraud in public companies, the
U.S. Congress created the Sarbanes-Oxley Act to create a new set of standards for
financial activity in public companies. As part of the new regulations and standards
regarding financial reporting, the Public Company Accounting Oversight Board (PCAOB)
drafted section 404.
7. 7
auditwerx.com
Section 404 of Sarbanes-Oxley requires publicly traded companies to test internal
controls that impact data relevant to their financial reporting to ensure transparency and
data integrity. Because the internal controls of a service organization can directly impact
the financial reporting requirements of a company with which they do business, service
organizations that serve public companies are subject to the same level of scrutiny of
their internal controls.
In June 2011, SAS 70 was replaced by SSAE 16, the Statements on Standards for
Attestation Engagements, number 16, designed to enable independent auditors to
provide an opinion on the design and effectiveness of internal controls of service
organizations. An SSAE 16 audit examination results in The Report on Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting that the
organization can share with its clients and their auditors.
HISTORY of SSAE 16 SOC 1 and SAS 70
8. 8
auditwerx.com
SSAE 16 AUDIT REPORT
The goal of the SSAE 16 audit examination report is to enable a service organization to
assure its public company clients that their internal controls are designed properly and
do what they say they do. The SSAE 16 audit examination has an independent, third-
party auditor provide an opinion on the design and effectiveness of the internal controls
with a direct impact on another company’s financial statements.
A service company working indirectly with the public company involved may still need an
SSAE 16 report. For example, an outsourcer that does invoicing for the online business of
a public company, due to their involvement in financial transactions, may require an SSAE
16 SOC 1 report to assure their client of the effectiveness of the design and
implementation of their controls and enable them to comply with regulations.
If the invoicing company, in turn, houses all their data with a data warehousing company,
because that data includes the financial data of the original retailer, the invoicing
company will need an SSAE 16 SOC 1 report from the data warehousing company as well.
The control environment of that public company can only be 100% in compliance with
SOX 404 and other applicable regulations if every step in the process and every entity
involved undergoes the same examination process.
"In 2012 when the new SSAE16
requirements were newly
implemented, we began looking
for an agency to perform the
SSAE16 SOC1 audit for us.
...Auditwerx did an exceptional
job to not interrupt business
while thoroughly auditing
everything we do. The week of
their site visit was intense and
pleasant and our work
continued as normal. I highly
recommend Auditwerx and
welcome any inquiries about
the organization.“
Shae H., Director of Business Development
Receivables Management Company
HISTORY of SSAE 16 SOC 1 and SAS 70
9. 9
auditwerx.com
The transactions that are examined for an SSAE 16 report are those that are central to
your business. For example, if you run an employee benefits business the audit
examination could include escrow accounts and processing payments. If you run a tax
processing business, the examination could include reviewing how you collect and
disburse money and make tax payments.
In an SSAE 16 report, we look at several elements of each transaction:
WHAT is EXAMINED in an SSAE 16 AUDIT?
• Initiation of the process
• Authorization of the process
• Recording & logging of the process
• Security measures that are part of the process
• Accuracy of the process
• Timeliness of conducting the process
10. 10
auditwerx.com
Once you have gathered all the supporting information for the first audit examination,
you can create a framework for the subsequent period’s future documentation and
storage of the new period specific information to be better prepared for the audit in
subsequent years.
YOUR FIRST and SUBSEQUENT AUDITS
How Long is an SSAE 16 Report Relevant?
An SSAE 16 SOC 1 report is a backward-looking report. That means you choose a point in
time and work backward for a period of three to twelve months to review internal
controls. This report is good for one full year from the date of the report. That holds true
whether the report was issued for a 3-, 6-, or 12-month review period.
The report is finalized and dated when the auditor has reviewed and tested all included
controls and received all the necessary documentation from you, the client. Because the
report date is critical to the verification of internal controls for your clients and for
reporting purposes, we recommend that companies begin the engagement 60 to 90 days
before it is needed. This ensures we have time to conduct the audit properly, issue the
report to meet your deadline, and enjoy a smooth process.
11. 11
auditwerx.com
Because many companies request an SSAE 16 report from their contracted service
companies to coincide with the end of their own fiscal year, the request may come at an
awkward time for your organization. For example, a client may request the report for a
December 31 close of their fiscal year. If your company has operations that are also
impacted by the end of the year, you may not be able to work on an SSAE 16 audit at the
same time.
If it is more convenient for your company to conduct the SSAE 16 audit engagement
earlier than your clients need the report, an audit gap letter can be issued to extend
coverage to meet your client’s requirements. An audit gap letter extends coverage of the
audit for up to 90 days of operations after the report date. This allows us to conduct the
SSAE 16 audit earlier in the year as in the following example:
The date of your current SSAE 16 report is September 30, 2012 but your
client’s fiscal year ends December 31, 2012 and they need a report to
cover all of 2012. Within six months of the original report date (through
March 30, 2013), the auditor can issue an audit gap letter to extend the
validity of your SSAE 16 report to December 31, 2012 to satisfy the
client’s request.
“This was our first time to go
through this type of audit.
We were carefully guided
through each step of the
process. The entire audit
went very smoothly.”
Kelly T., Project Manager
Employee Benefits Administration
YOUR FIRST and SUBSEQUENT AUDITS
12. 12
auditwerx.com
In general, the audit examination process takes about six to eight weeks, though there
are many factors that can affect how long an actual engagement will take. It is possible to
expedite an SSAE 16 audit examination and complete the report in as few as four weeks
if a company can provide full-time support of several staff members.
HOW LONG DOES it TAKE to COMPLETE an
SSAE 16 AUDIT REPORT?
Three Primary Factors in Completing an SSAE 16 Report
Do you have documented policies and procedures?
If your organization has policies and procedures regarding internal controls in place, the
audit process can be quicker than if you have to create new procedures or
documentation for the purposes of the engagement. One advantage of working with an
experienced assurance audit provider is the auditor’s comprehensive system of
templates for any possible policy or procedure. Clients are often able to adjust a pre-
composed policy template to match their unique operations to avoid writing a new policy
or procedure from scratch.
13. 13
auditwerx.com
How many controls or procedures does the audit include?
The number and complexity of the controls to be included in the audit affect the length
of the process. All policies and procedures that impact the financial reporting of your
clients must be included. For one organization there may be one or two relevant
procedures while there may be dozens that come into play for another.
How complex are your policies and procedures?
A relatively straightforward procedure like an employee termination procedure may be a
one- or two-page checklist. A more complex policy like an IT security policy may be a 30-
to 40-page document.
Resources Dedicated to the Audit Examination
In addition to these three factors that determine the scope of an audit engagement, your
company’s ability to dedicate resources to the project will affect the time needed to
complete the examination. To conduct an SSAE 16 SOC 1 audit examination, an auditor
must work closely with someone in your organization. An SSAE 16 audit examination
typically requires participation and input from the areas of IT, operations, human
resources, finance, and support operations. The amount of time needed with each team
member will depend on the service your organization provides and the number and
types of controls we need to review and test.
"We engaged Auditwerx to
assist us in completion of our
first SSAE16 audit. We found
the Auditwerx staff to be
extremely knowledgeable,
efficient and overwhelmingly
patient and helpful during the
entire process. The ease by
which they navigated us
through our audit was nothing
short of amazing! I would
highly recommend them!"
Jodie D., COO
Third Party Benefits Administration Firm
HOW LONG does it TAKE to COMPLETE
an SSAE 16 AUDIT EPORT?
14. 14
auditwerx.com
The financial cost of an SSAE 16 report varies depending on many factors. Let’s look at
the five primary factors that affect the cost of an SSAE 16 report.
1. TYPE of BUSINESS
Some service businesses are more complex than others and have more internal controls
or are impacted by regulatory requirements.
2. NUMBER of LOCATIONS of the BUSINESS
Auditors are required to review the main office of a business as well as offices or facilities
that house computer servers involved in the service the organization provides. That may
involve traveling domestically or internationally.
COST FACTORS of an SSAE 16 REPORT
3. NUMBER of EMPLOYEES
To ensure a proper separation of duties, auditors are required to report on
everyone who comes in contact with the transactions and anyone with access
to the data or the money.
15. 15
auditwerx.com
4. NUMBER of APPLICATIONS
Auditors are required to report on the internal controls for each type of transaction that
impact your clients’ financial information. The auditors test a sample of all transactions
conducted in one year. The more applications you have that are subject to internal
control requirements, the more to test.
5. YOUR DEADLINE
The typical time required to produce an SSAE 16 SOC 1 report is six to eight weeks. It is
possible to produce a report more quickly but an expedited process will be more costly
than a report delivered in a standard timeframe.
For a U.S. or Canada-based service organization with 1 or 2 locations, 25 to 200
employees, and 1 to 3 standard services for their customers, standardized pricing
generally applies.
COST FACTORS of an SSAE 16 REPORT
16. 16
auditwerx.com
Auditwerx has developed a five-stage process to help
clients estimate how long their SSAE 16 SOC 1
examination will take. This process includes planning,
preparation, on-site review, audit report draft, and audit
report completion. But this is not a cookie cutter service.
Once the planning stage is complete, we discuss with our
client the scope of the examination, the expected time
frame, and any unique requirements. We work closely
with clients to create a thorough SSAE 16 report that
communicates to your clients that your operations are
secure.
The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT
17. 17
auditwerx.com
With our extensive experience, we have streamlined the SSAE 16 SOC 1 report process
for our clients. We take pride in our ability to serve clients efficiently while also getting to
know them as individuals and businesses. Each SSAE 16 SOC 1 audit engagement we
perform proceeds smoothly through each phase of the engagement. Our efficiency is
grounded in the fact that we do not use contractors. Rather, we have the ability to
provide the same audit team from start to finish on all phases of an engagement. This
allows us to understand our client’s operations thoroughly, not just audit them from a
distance. At the end of the day, providing value added guidance and recommendations to
our clients by going beyond the basics of the audit is what’s most important to us at
Auditwerx.
“Initially, we were concerned
about the magnitude of
undergoing a SSAE 16 SOC 1
audit…Auditwerx has a
seamless audit process; it
was so easy to upload the
required documents to their
website, track our progress,
receive feedback and input
and stay on top of the
process. We couldn’t be
more pleased with the audit
and with the overall end
product. Our SSAE 16 SOC 1
report was amazing.”
Scott B., Certified Public Accountant
Retirement Plan Administration
The 5 STAGE PROCESS to PRODUCING
an SSAE 16 REPORT
18. 18
auditwerx.com
Auditwerx is a trusted partner for service companies that require third-party Certified
Public Accountant (CPA) or Chartered Accountant (CA) auditor assurance engagements to
meet regulatory or customer compliance needs. We are a one-stop resource for U.S.,
Canadian, and International service organization controls examinations.
Our five (5) step process for SSAE, CSAE and ISAE audit engagements along with our
dedication to details is why our CPAs and IT experts have been delivering quality audit
services to a broad array of service organizations exclusively since 2005. To learn more
about the audit process or to discuss arranging an audit engagement, get in touch with us
at 888-893-5536 or email us at SSAE16@auditwerx.com
ABOUT AUDITWERX
An International CPA and CA
Audit Firm
Auditwerx - United States
3000 Bayport Dr, Suite 480
Tampa, FL 33607
Office: 888-893-5536
Fax: 727-499-6867
Auditwerx - Canada
1 Yonge Street, Suite 1801
Toronto, ON M5E 1W7
Office: 866-320-1859
Our vision is to be
recognized as the most
trusted provider of audit
compliance services, our
industry’s employer of
choice, and our future
shareholders’ investment of
choice.