SSAE 16 (SOC 1) examinations assess controls at service organizations that are relevant to user entities’ (i.e. customers) internal control over financial reporting. Statement on Standards for Attestation Engagements (SSAE) No. 16 superseded the SAS 70 audit standard on June 15, 2011. The primary purpose of an SSAE 16 report is to provide customers and their financial statement auditors with an understanding of the services being provided and a CPA firm’s opinion as to whether the description is fairly presented, the controls are suitably designed, and in the case of a “Type 2” report, whether the controls were operating effectively over a specified period of time.
Determine preparedness for an SSAE 16 examination through a formal gap analysis process.
In a Type I report the auditor provides independent third-party verification as to whether control activities described by a service organization are appropriately designed to meet specified control objectives and whether the controls were placed in operation as of a particular date. Obtain a service auditor’s report that expresses an opinion on whether:
Type 2 SSAE 16 audits provide independent third party verification as to whether control activities described by a service organization are suitably designed to meet specified control objectives, and whether these controls were in place and operating effectively over a period of time, typically between six (6) and twelve (12) months. Obtain a service auditor’s report that expresses an opinion on whether:
Who Must be Compliant?
A SSAE 16 is a voluntary compliance audit typically undertaken by outsourced service organizations that impact the control environment of their customers. Examples of service organizations include insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.
What does it cost to be compliant?
The cost of a SSAE 16 is dependent on the scope of the audit, the size of your organization, complexity of the processing, and maturity of the controls, to name but a few factors. First time audits typically cost more. Depending on the audit scope and complexity.
What are the requirements?
The service organization, not the auditor, is responsible for describing the controls and control objectives that are disclosed in the SSAE 16 report. While there are no set rules on the controls that should be included in a SSAE 16, the quality of the audit report is often dependant on the appropriateness of the control objectives and the testing procedures. The auditor may provide guidance and recommendations. A SSAE 16 (SOC 1) typically covers the following processes: control environment, risk assessment processes, control activities, information and communication, and monitoring processes. The auditor typically evaluates and tests the following type of controls: application development, configuration management, change management, telecommunication network, logical access, physical access, data retention and transmission, application, and input and output process controls.
How can we help?
In today´s global economy, IT service organizations and service providers must demonstrate that they have adequate controls and safeguards when they host or process customer´s data. The AICPA´s Statement on Standards for Attestation Engagements (SSAE) No. 16 is widely recognized as “the standard” for assessing internal controls of third party service organizations. Since 2002 the requirements of Section 404 of the Sarbanes-Oxley Act make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organizations.
True Holdings, Inc. helps clients prepare for the SSAE 16 audit and reduce both the time and expense associated with testing. By laying a solid foundation the audit can proceed with the least number of unknowns.
Our approach ensures:
Contact us to learn more.
Our Hospital Claims Recoupment Service uses an extremely unique approach to uncovering and actually recouping (not theoretical, but actual dollars in the door) significant dollars for Hospitals, Surgical Centers, Clinics and even Individual Medical Practices.
It’s important to note; this is not a collection service; rather, we help medical organizations recoup monies already owed to them.