A-lign will understand your need for the SSAE 16 audit and its uses by your user organizations. Based upon our research, we will propose an implementation date for SSAE 16. In many cases the implementation date will be based upon the prior SAS 70 audit review periods. Once the service organization approves the implementation date, A-lign will present our suggested review period to the service auditor. 

A-lign will interview management personnel and review relevant documentation and contracts to identify third party providers that are a component of the services delivered within the scope of the review. A-lign can facilitate discussions between the company and third party providers to determine if the third party provider will provide an assertion report to allow the company to consider the use of the inclusion method within the company’s SSAE 16 report. If an assertion report cannot be provided by the third party, the carve-out method may be considered along with a possible third party provider change to a provider which will execute an assertion report or already has a SSAE 16 report. If a change is made to a third party provider who has a SSAE 16 report conducted already, the company should ensure that they can provide the third party provider SSAE 16 report to the company’s clients. 

Users of SAS 70 reports may be unaware of the standard being superseded by SSAE 16. Clients will have an expectation that companies will provide a SAS 70 audit report to them on an annual basis. Additionally, many contracts include requirements for a company to provide the customer with a SAS 70 audit report.   A-lign will review client contracts to identify any contractual obligations to provide a SAS 70 audit report to customers. A-lign works with the company legal counsel to draft new language to reflect the change to the audit standard and a requirement to provide a SSAE 16 report. A-lign will draft educational materials that the company can disseminate to its customers to educate them regarding the change to the SAS 70 audit standard and what to expect when they receive the SSAE 16 report. Another avenue to notify clients regarding the change may be at a users conference or a webinar. A-lign can attend the users conference, present at the webinar, or train company personnel to discuss the change themselves. 

Current SAS 70 reports are typically titled as description of controls. SSAE 16 titles the equivalent section of the report as a description of the system. Therefore, A-lign will understand the description of the system and evaluate the current description of controls using the criteria identified in the SSAE 16 standard. This evaluation may provide changes that need to be made to the description of the system. A-lign will redraft the description of the system to bring it in line with the SSAE 16 standard.

A-lign will perform a risk assessment of the services the company performs on behalf of user organizations using the criteria in SSAE 16. This risk assessment will determine the control objectives needed in the SSAE 16 report and identify any gaps in existing control objectives. A-lign will draft the additional objectives needed and identify the related control activities. This process ensures that management can assert that the control objectives and related control activities are suitably designed.

Management must demonstrate that procedures exist to monitor the operational effectiveness of control activities. The procedures could be in the form or monitoring controls or direct testing (not performed by the service auditor). Monitoring procedures will yield the greatest long term benefit and is generally the most cost effective manner. A-lign will develop a program for management to monitor the control activities to ensure the control activities are operating effectively as designed. A-lign can assist management in implementing the following monitoring activities to monitor operational effectiveness: 

Publicly traded companies can consider leveraging testing for Sarbanes-Oxley compliance to demonstrate the monitoring of operational effectiveness of control activities. Other organizations may need to resort to direct testing of control activities to satisfy their assertion. 

For companies with existing SAS 70 audit reports, the transition from SAS 70 to SSAE 16 can range from a small to significant level of effort and can create confusion for the company. A-lign has developed a methodology to bring the company’s current SAS 70 audit report aligned with the new SSAE 16 standard and ensure a successful transition.