Compliance Preparation and IT Audit
Planning, Liaison, Remediation, Testing, Certification
SSAE 16, PCI, HIPAA, GLBA, SOX, DRP, BCP, Penetration Testing, Internal IT Audit - Tampa, Miami, and Nationwide
Business or IT managers, do you need assistance in creating internal documents for auditors, such as a management attestation letter and a narrative of your business’ systems/processes newly required by SSAE 16? Click .
SSAE 16 Certification is a standard reporting format since June 2011, is recognized internationally, and replaces the outdated SAS 70. The review of IT controls is related to 3rd Party Vendors' services, such as collocation sites, payroll processing companies, application developers, etc. A big change for business management includes your needing to develop narratives and other documentation that was not always required by SAS 70.
There are several types of SSAE 16 reports, for example SOC 1, 2, & 3, type I and II. Type I is 'point in time testing,' and Type II is testing of controls that existed throughout the test period (typically the fiscal year). The most up to date information can be found on the AICPA website.
The difference in SSAE 16 and some alternative certifications is SSAE 16 reviews are overseen and signed-off by a registered CPA firm, and the cost of each type of SSAE 16 is therefore more expensive than alternatives.
Audit READY - Certified IT Service Vendors is a less expensive alternative to SSAE 16.
When a corporation has routine financial audits or audits related to governmental regulations, the work of their outsourced IT service providers is also audited. A limited list of such audited outsourced services includes:
At the end of each audit, the corporation, not the IT Service provider, is ultimately responsible for any issues found. Corporations using IT vendors, for example, for key services will be held responsible for issues found which are the result of the IT Vendors’ performance. Areas subject to review could include errors and omissions in documentation or processes in:
Corporations can gain a reasonable sense of assurance when their IT vendor offers their Audit READY Certification of IT services), verifying they are 'audit ready'. Guidance for remediation of issues IS given, and advice to adhere to industry standards/best practice IS given, unlike SSAE 16 reviews.