SSAE 16 Audit Support and Remediation
SAS 70 – known as the Statement on Auditing Standards No. 70 was developed by the American Institute of Certified Public Accountants. SAS 70 defines and outlines the standards an auditor must use in order to assess the contracted internal controls of a service organization. By definition service organizations under SAS 70 would be hosted data centers, insurance claims processors and credit processing companies etc; any organizations that provides outsourcing services that affect the operation of the contracting enterprises or organization. SSAE 16 replaced the SAS 70 standard for all audits as of June 15, 2011.
SAS 70 Type I and Type II.
In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit for prevention of accounting inconsistencies, errors and misrepresentation as well as the likelihood those effort will produce the desired future results.
In a Type II report, the same information is included as shown in a Type I report. However in a Type II report the auditor works to determine the effectiveness of agreed to controls since they were originally implemented. Type II reports also reviews data compiled during a specific time period – usually six months and operational areas that may need improvement as part of the overall report.
Generally SAS 70 reports are commissioned by the service organization or the user organization. Having a consistent and independent service auditor’s report builds customer confidence and trust. However a lack of current reports may generate multiple audits and can be very costly.
Loricca’s SSAE 16 Readiness Assessment
Loricca’s SSAE 16 Readiness Assessments is designed to assist service organizations in assessing their preparedness for an audit. Unlike a SAS 70 audit which has the objective of reporting on existing controls, our Readiness Assessment services are designed to identify those controls that should be implemented or improved prior to an actual audit.
Loricca’s Readiness Assessment services provide our clients the following benefits:
- Overview of methodology and operating procedures.
- Future audit time commitments that may be necessary from personnel are discussed/agreed to.
- Reporting (confidential internal use only) is provided that creates the basis for improving the overall control environment.
- Control descriptions are drafted and ready to be used for the subsequent SAS 70 audit.
- Strengths and weaknesses in the current control structure are documented (see reporting above) and communicated; includes detailed recommendations for improvements allowing for sufficient time to remediate any gaps in the control structure.
- Immediate questions and answer session with our SAS 70 professionals to discuss the impact potential changes to services or controls may have on the upcoming SAS 70 audit.
Who Should Consider an SSAE 16 Readiness Assessment? A service organization that answers yes to any of the following:
- desires to address its current readiness for an actual SSAE 16 / SAS 70 audit in a cost effective yet professional manner
- who has not recently or ever undergone a financial or regulatory audit that included IT controls as part of the audit
- that prefers an internal-use-only report for the purposes of identifying any current controls issues prior to the actual SAS 70 audit
- who intends to perform a Type 2 SAS 70 audit as its initial audit but wants to understand its internal issues prior to the audit
Contact us today to discuss SSAE 16 audits preparations and how our professional auditors can take a make your Type I and/or Type II audits as stress free as possible with being prepared and completed by auditing professionals. ~ 813-600-3005