Call the experts at NDB Accountants & Consultants for SSAE 16 Type 2 compliance guidance and expert recommendations for undertaking such an assessment in an efficient and cost-effective manner. SSAE 16 Type 2 compliance can be a challenge for many service organizations, so take note of the following four (4) important elements for SOC 1 SSAE 16 reporting:
1. Scope is Critical. It’s important to understand the boundaries of SSAE 16 Type 2 compliance – specifically - what people, policies, processes, and procedures are to be included in an audit of this type. With that said, it’s universally agreed upon by most CPA firms conducting such engagements that the following general controls should be included from a scope perspective, regardless of the business type, function, or location:
- Executive tone
- Human Resources
- Change Management
- Logical Security
- Network Security
- Computer Operations
- Physical Security
- Environmental Security
Additionally, the service organization’s “business process” should also be included within the scope of an SSAE 16 Type 2 compliance assessment. From payroll companies to trust and actuarial services, SSAE 16 Type 2 compliance assessments are generally geared towards businesses that exhibit internal controls over financial reporting – a concept known as ICFR. Lastly, don’t forget to confirm with your clients as to their demands and overall expectations of what’s include in a SSAE 16 Type 2 compliance report. Communication with all parties is extremely critical for ensuring the success of SSAE 16 audits.
2. The focus “should” be on ICFR. Internal Controls over Financial Reporting (ICFR) is the basis for what an SSAE 16 Type 2 compliance report should be premised on. After all, the SSAE 16 professional standard is technically geared towards service organizations (i.e., banks, TPA’s, etc.) exhibiting a true nexus with financial controls. We at NDB preface “should” because there are numerous technology oriented businesses that are still undertaking SSAE 16 Type 2 compliance when they’re technically a much better fit for the AICPA SOC 2 framework. Call it politics or familiarity with the SSAE 16 standard, whatever it is, service organizations are slowly waking up and educating themselves as to which report they need - SOC 1, SOC 2 or perhaps even SOC 3.
3. It’s an annual commitment. Welcome to regulatory compliance where businesses all throughout North America – and the globe – are being required to undertake annual SSAE 16 Type 2 compliance audits. It’s only the beginning as more and more legislation and industry mandates keep coming like a freight train with literally no brakes to stop them. It means that YOU as a business need to plan and understand the long-term ramifications and considerations of regulatory compliance. It means being proactive about finding a professional services firm that offers competitive, fixed-fees, high-quality staff, and that can deliver a wide-range of compliance offerings, such as SOC 2, but also PCI DSS compliance, HIPAA, and more.