SSAE 16 Service Auditor Methodology

Determining the scope of the SSAE 16 examination is one of the most challenging facets of the project. It is imperative that the scope of the examination meets the expectations and needs of our clients’ customers. The scope of an SSAE 16 examination comprises the system used to provide services to user organizations and the systems and functions that support the system. We will conduct interviews with key client personnel to determine the source of the SSAE 16 examination need as well as obtain a thorough understanding of management’s involvement with the control environment. We will obtain a thorough understanding of (a) the client’s business environment, (b) the various services offered, and (c) the impact of the identified services on user organizations and their financial statement assertions. This will help us scope the engagement accurately and assist our client’s in meeting their contractual obligations with their customers regarding SSAE 16 reporting.

 

In determining the scope of the report, the client typically identifies the control objectives for each of the services covered within the scope of the examination. We can provide assistance in the wording of the control objectives; however the client ultimately remains responsible for identifying the control objectives. An important aspect at an early stage of an SSAE 16 examination is to identify management and those charged with governance who ultimately will be responsible for signing off on management’s assertion and representations to us. Other considerations for the scope of the examination include whether or not sub-service organizations will be included or if a third party has established the control objectives to be included within the scope of the examination. A-lign will work with the client after the initial interview process to outline and finalize the steps of the SSAE 16 examination.

 

Obtaining an understanding of our client’s delivery commitments to its customers and discuss the timing of our procedures through final issuance of the report ensures we exceed our client’s expectation. If applicable, an important consideration is to understand the level of Internal Audit assistance that will be made available to assist in testing procedures. We will discuss communication protocols, including medium and frequency of communication and will set up periodic status updates with our project sponsors to discuss progress, communicate findings on a real time basis and discuss opportunities to address exceptions and recommend improvements in controls and performance.

 

After the scope is identified, A-lign will review the client developed description of the system and understand whether suitable criteria has been utilized to develop the description of the system, to design the controls to achieve the control objectives and in the case of a Type 2 report to evaluate whether the controls operated effectively throughout the specified period. A-lign will perform an assessment to determine that the control objectives identified by the client are complete and no portion of the description of the system is omitted relevant to the scope of the service organization’s system. We will determine if management has identified the risks that threaten the achievement of the control objectives; that the controls identified if operating as described would provide reasonable assurance that the risks would not prevent the control objectives from being achieved; and that the controls were consistently applied as designed throughout the specified period. We will also determine if management has a reasonable basis for their assertion. Such a basis may be achieved through a combination of on-going monitoring and separate evaluations. This process will allow A-lign to move forward to the next step of preparation for fieldwork and testing procedures outlined below.

 

A-lign understands that our client’s time is extremely valuable. We utilize a comprehensive information request list that is customized to the scope of the client’s description of the system and utilized as a tool to have documentation gathered prior to our onsite fieldwork. The information request list is typically sent four weeks prior to fieldwork. As necessary, we can conduct meetings to discuss our requests and ensure that the client fully understands the information needed to complete the examination. By gathering the documentation prior to our arrival, the client will help keep their examination fees lower and increase the efficiency of their personnel. The A-lign point of contact for the examination is always available to answer questions regarding our information request list. We encourage our clients to utilize our secure A-lign ClientConnect to upload documentation to fulfill the information request. This allows our team to review the responses for completeness and begin our examination testing even before onsite fieldwork.

 

We will submit to the client at least two weeks prior to onsite fieldwork a project plan that outlines which control objectives we will be auditing each day of our examination testing. The project plan is reviewed by the client to ensure that no scheduling conflicts exist.

 

Onsite fieldwork and testing procedures are the most time intensive part of the examination for both the client and our audit team. The client’s completion of the information request list prior to our onsite visit greatly determines the efficiency of the fieldwork and testing procedure phase. Our walkthrough procedures are performed through a combination of inquiry, observation and inspection of records and other relevant documentation. This allows us to determine key controls necessary to achieve the control objectives and assess the effectiveness of the design of those controls. This provides the foundation for our testing procedures for a Type 2 SSAE 16 examination.

 

Our approach for testing includes both onsite and offsite testing. This method allows our team to limit our intrusion into the daily operation of our clients. Onsite fieldwork in the case of a Type 2 SSAE 16 examination will comprise observation of controls, inspection of evidence of sampled controls for the in- scope control objectives and, in some instances, re-performance of the controls where deemed necessary. By utilizing A-lign ClientConnect, offsite testing can be performed using the numerous means of electronic communication available. By performing a portion of the testing offsite, we are able to provide our clients with an extremely competitive pricing model for the examination.

 

Any recommendation or testing exceptions will be fully communicated with designated client personnel prior to the end of fieldwork and testing closing meeting. We will assess if the identified exceptions are within an expected rate of deviation and are acceptable or whether additional testing of the control or other controls would be necessary to reach a conclusion. This is a crucial step in our process to ensure that all client personnel are in agreement with recommendations and findings before presentation to senior management.

 

A-lign prides itself on its efficient and timely reporting process. While many firms take 30 days or more to issue a report, A-lign’s project plans call for a draft report to be issued to the client within 10 business days of fieldwork completion. The draft will undergo a rigorous independent quality control review before issuance to the client. The draft report is submitted in word form to the client to allow the client to suggest wording changes directly to the draft report. Once the draft is returned to A-lign, along with the management representation letter, the final report will be prepared for printing. Within five business days after the approval of the draft, responses to any testing exceptions, the return of the signed management representation letter, and subsequent events inquiry of management, we will deliver 3 bound copies, an unbound copy, and a secure Portable Document Format (PDF) of the report.

 

A-lign is available to serve our clients throughout the year, and not just during the examination period. A key to a successful examination is continuous communication with your auditor. There are no additional fees incurred to discuss changes in business operations or assist with the implementation of recommendations resulting from the assessment. Additionally, if a client’s customer or customer’s auditors have any questions regarding the examination report, we would be happy to discuss those questions and provide any necessary workpapers at no cost to our client.