If you want more assurance on the internal controls of the service provider, an SSAE 16 audit can be conducted. In an SSAE 16, the internal controls of the service are audited by an independent IT auditor, and the judgment is communicated to you.
The SSAE 16 standard is the American successor of the SAS70 statement and is prepared based on the ISAE 3402. There is more emphasis on risk identification and management compared to the SAS 70 statement. Parties who operate under the rules of the pan-European audit firm IFAC are mainly held to the ISAE 3402, whereas parties affiliated with the American audit firm AICPA, are held to the SSAE 16.
There are two types of investigation:
- Type I: This investigation focuses on how the processes and controls are designed and documented (intent), and whether they are applied in the workplace at the time under review (existence);
- Type II: This investigation focuses on the operation of the documented processes in the workplace, by performing a number of observations during the year (operation).
For who is the SSAE 16 Audit intended
You have outsourced IT operations and business processes and want to have a fair degree of certainty that the executing party has the internal control of these processes in order and that the (financial) reports are reliable;
You wish to show your customers that you have the internal control of your processes in order;
You operate under the Sarbanes-Oxley legislation.
You will be assured of the quality of internal processes and controls of the executing party;
You will be assured that the executing party complies with the contractual agreements in the field of internal processes and controls;
For service providers: The reliability of your organization towards your partners increases through certification.
In case of a Type I investigation, you will receive a report that describes whether an executing organization has documented and implemented the internal processes well, in design and reality;
In the case of a Type II investigation, you will receive a report that describes that apart from the design, the internal processes and controls are being followed.