Does your company provide payroll processing, loan servicing, or another outsourced service that impacts the financial statements of another company (or a group of other companies)? If so, then you may be asked by one of your clients to go through the SSAE No. 16 auditing process. But what is an SSAE No. 16 audit, and which parts of your business will it investigate? Read on to learn more about this auditing standard and why it may be important for ensuring the success of your business.
What is an SSAE No. 16 Audit?
The SSAE No. 16 (abbreviated to SSAE 16) is an update to the SSA 70 auditing standard. This update is essentially designed to make sure that your business has proper controls in place to provide secure outsourced financial services for other companies. The SAS 70 (Statement on Auditing Standards No. 70 to Service Organizations) was the original auditing standard for this purpose. SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) and implemented in 1993.
In situations where a company needed to outsource a task or process that would affect their financial statements, an auditor would investigate the service organization being entrusted with that outsourced job. The auditor would use the AICPA standards to assess the service organization’s “control objectives and control activities.” The goal was essentially to determine whether or not the service organization had the proper security controls and safeguards in place (particularly in terms of servers, data centers, and other infrastructure of information technology) to ensure that the financial data belonging to the client would be kept safe and secure at all times.
In the previous incarnation of the AICPA’s auditing standard (the SAS 55), service organizations could be asked for individual audits of internal controls by every client for whom they did outsourced financial work. The redundancy of these audits was horribly inefficient and financially damaging for service organizations. The SAS 70 was developed to create a more “universal” audit report, allowing service organizations to go through the audit just once, and to then distribute the resulting report to each of their clients to ensure satisfactory internal controls.
The SSAE (Statements on Standards for Attestation Engagements) No. 16 is the latest evolution of the AICPA’s service organization auditing standard. The basic purpose of SSAE 16 is more or less the same as it was for SAS 70. (According to the AICPA, SSAE 16 “addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”)
The primary difference between the two standards is that SSAE 16 is more thorough than its predecessor, recommending a deeper and broader examination of service organizations’ information security programs. The SSAE 16 also brings American auditing standard up to date with the ISAE 3402, which is the international standard for “Assurance Reports on Controls at a Service Organization.”
Who Needs an SSAE 16 Audit Report—And Why Is It Important?
Now that you understand what the SSAE 16 auditing standard is, the next logical question is whether or not your business needs an SSAE 16 audit report on file. Generally, completing the audit is recommended as essential for companies that do work on the financial records of another company as an outsourced service organization.
The most obvious type of business to fall into this category is a company that does payroll processing for another business. However, www.ssae-16.com, the web’s top resource for
information on the SSAE 16 auditing standard, also lists a number of other service organization industries that might need to provide an SSAE 16 audit report to clients. These industries include (but are not limited to) loan services, data center services, network monitoring services, software as a service (SaaS), and medical claims processors.
If your company works as an outsourced service organization in any of these industries, then having an SSAE 16 audit report on file is likely in your best interest. Going through the audit will prove to your prospective clients that you not only have IT control processes in place but also that those controls have been assessed and approved by an auditor.
If you have been audited in the past but have yet to upgrade your certification SAS 70 to SSAE 16, taking the time (and spending the money) to do so is also a good idea. SSAE 16 went into effect in June 2011, and SAS 70 was officially phased out on June 15, 2015. Those businesses with the older certification will no longer be recognized as holding proof of a successful audit.
Finally, if you want to work with international clients, becoming SSAE 16 certified will assure to them that you have gone through the process of making sure your IT control processes are up to their auditing standards. This will in turn help your company to attain more business—and make more money—on the international level.
Using eFileCabinet to Meet Audit Standards
If you are preparing for a service organization audit and need to make sure that you can meet SSAE 16 standards, eFileCabinet can help. We provide servers and data centers that you can use to securely store documents and data pertaining to client finances.
At eFileCabinet, our IT solutions are fully compliant with all FINRA and SEC government regulations and standards. Your files will be encrypted with SSL/TLS encryption while they are being transmitted from your computer to our data servers, and then protected with industry-standard 256-bit AES encryption once they are stored on the servers. Files are also backed up as soon as you upload them to our servers and are stored redundantly across servers in numerous geographic locations—so you won’t lose data in the extremely rare case of a server failure.
Are you interested in learning more about eFileCabinet, or in how we can help you reach government auditing standards? Fill out the form on this page for a 15-minute demo.