SSAE 16 Type 2 compliance | Fixed Fees | Learn about SOC 1 Reporting

Posted by on in Regulatory Compliance
  • Font size: Larger Smaller
  • Hits: 1423
  • Subscribe to this entry
  • Print

Call the experts at NDB Accountants & Consultants for SSAE 16 Type 2 compliance guidance and expert recommendations for undertaking such an assessment in an efficient and cost-effective manner. SSAE 16 Type 2 compliance can be a challenge for many service organizations, so take note of the following four (4) important elements for SOC 1 SSAE 16 reporting:

1. Scope is Critical. It’s important to understand the boundaries of SSAE 16 Type 2 compliance – specifically - what people, policies, processes, and procedures are to be included in an audit of this type. With that said, it’s universally agreed upon by most CPA firms conducting such engagements that the following general controls should be included from a scope perspective, regardless of the business type, function, or location:

    • Executive tone
    • Human Resources
    • Change Management
    • Logical Security
    • Network Security
    • Computer Operations
    • Physical Security
    • Environmental Security

Additionally, the service organization’s “business process” should also be included within the scope of an SSAE 16 Type 2 compliance assessment. From payroll companies to trust and actuarial services, SSAE 16 Type 2 compliance assessments are generally geared towards businesses that exhibit internal controls over financial reporting – a concept known as ICFR. Lastly, don’t forget to confirm with your clients as to their demands and overall expectations of what’s include in a SSAE 16 Type 2 compliance report. Communication with all parties is extremely critical for ensuring the success of SSAE 16 audits.

2. Policies and Procedures are Essential. No matter what the regulatory compliance mandate is – from Sarbanes Oxley to HIPAA, PCI DSS, and even the SOC reporting framework – information security and operational policies and procedures are highly essential. Why, because auditors look for documentation to confirm various practices in place at companies, and that’s exactly what’s needed for SOC 2 compliance. Thankfully, NDB offers a complimentary SOC 2 SSAE 16 and/or SOC 2 Policy Packet for every client we work with. It’s an invaluable set of high-quality, professionally developed templates that have been researched by and authored by regulatory compliance experts with years of I.T. and operational experience. There’s no need to spend hundreds of hours on policy templates, the hard work has already been done by NDB.  Learn more about NDB's complimentary SOC 1 Policy Packet and SOC 2 Policy PacketsIt truly makes a big difference in helping you save thousands of dollars on SOC compliance.

3. The focus “should” be on ICFR. Internal Controls over Financial Reporting (ICFR) is the basis for what an SSAE 16 Type 2 compliance report should be premised on. After all, the SSAE 16 professional standard is technically geared towards service organizations (i.e., banks, TPA’s, etc.) exhibiting a true nexus with financial controls. We at NDB preface “should” because there are numerous technology oriented businesses that are still undertaking SSAE 16 Type 2 compliance when they’re technically a much better fit for the AICPA SOC 2 framework. Call it politics or familiarity with the SSAE 16 standard, whatever it is, service organizations are slowly waking up and educating themselves as to which report they need - SOC 1, SOC 2 or perhaps even SOC 3.

4. It’s an annual commitment. Welcome to regulatory compliance where businesses all throughout North America – and the globe – are being required to undertake annual SSAE 16 Type 2 compliance audits. It’s only the beginning as more and more legislation and industry mandates keep coming like a freight train with literally no brakes to stop them. It means that YOU as a business need to plan and understand the long-term ramifications and considerations of regulatory compliance. It means being proactive about finding a professional services firm that offers competitive, fixed-fees, high-quality staff, and that can deliver a wide-range of compliance offerings, such as SOC 2, but also PCI DSS compliance, HIPAA, and more.

Call and speak directly with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 to discuss your SSAE 16 Type 2 compliance needs, along with any other compliance mandates, such as SOC 2, SOC 3, HIPAA, and PCI DSS compliance. Chris can also be reached at This email address is being protected from spambots. You need JavaScript enabled to view it. .

From I.T.consultants to seasoned regulatory compliance auditors, our firm's wide expertise is diverse, cross-functional, and highly experienced in all our service lines.

From I.T.consultants to seasoned regulatory compliance auditors, our firm's wide expertise is diverse, cross-functional, and highly experienced in all our service lines.