Services
SSAE 16 - Internal Control Audits for Service Organizations
On June 15, 2011, the American Institute of Certified Public Accountants (AICPA) revised the SAS 70 standard of internal control audits for Service Organizations. The new standard, SSAE 16, has similar principles of its predecessor and will include auditing the design of controls (Type 1) and actually testing the controls implemented (Type II) through the Service Organization Control Report (SOC 1). In addition, under this new standard, two new reports (SOC 2 and SOC 3) can be used to test the AICPA’s Trust Services Principles for service organizations.
The SOC 1, SOC 2 or SOC 3 reports can demonstrate that a service organization has been through an in-depth audit of their control objectives and activities by an independent accounting and auditing firm.
The SSAE 16 audit includes review of controls over transaction processing, data hosting and other related processes. Due to growing concerns over the security of customer information and data, service organizations must demonstrate they have adequate controls and safeguards in place. The SOC 2 standard and report can provide this attestation.
Some examples of organizations that may need a SSAE 16 audit are:
- Third-party, outsourcing vendors providing services to the healthcare and financial services industries
- Credit processing organizations and clearinghouses
- Medical claims processors
- Payroll companies and third-party administrators
- Service organizations providing managed IT services (web hosting, data processing, electronic records management)
These are just some of the service organizations in need of a SSAE 16 audit. At BlumShapiro, we can perform the appropriate type of SOC (Type I or Type II) and provide an audit opinion on your controls.
