Controls Advisor, LLC

Business or IT managers, do you need assistance in creating internal documents for auditors, such as a management attestation letter and a narrative of your business’ systems/processes newly required by SSAE 16?  Click here.

SSAE 16 Certification is a standard reporting format since June 2011, is recognized internationally, and replaces the outdated SAS 70. The review of IT controls is related to 3rd Party Vendors' services, such as collocation sites, payroll processing companies, application developers, etc. A big change for business management includes your needing to develop narratives and other documentation that was not always required by SAS 70.

There are several types of SSAE 16 reports, for example SOC 1, 2, & 3, type I and II.  Type I is 'point in time testing,' and Type II is testing of controls that existed throughout the test period (typically the fiscal year).  The most up to date information can be found on the AICPA website.

The difference in SSAE 16 and some alternative certifications is SSAE 16 reviews are overseen and signed-off by a registered CPA firm, and the cost of each type of SSAE 16 is therefore more expensive than alternatives.

Audit READY - Certified IT Service Vendors is a less expensive alternative to SSAE 16.

We certify IT Service Vendors are ready for their clients' financial or IT auditors.  IT Service Vendors, click here for certification requirements or audit and certification sub-categories specific to the each of the vendor's clients' regulations.

If you are looking for a lower-cost alternative to SSAE 16 certification, take our survey to determine if you are a candidate for Audit READY certification.

When a corporation has routine financial audits or audits related to governmental regulations, the work of their outsourced IT service providers is also audited.  A limited list of such audited outsourced services includes:

• Application Development
• Desktop and Hardware support services
• Network Administration
• Outsourced Data Centers or Server Hosts
• Hot Sites / Cold Sites for Disaster Recovery

At the end of each audit, the corporation, not the IT Service provider, is ultimately responsible for any issues found.  Corporations using IT vendors, for example, for key services will be held responsible for issues found which are the result of the IT Vendors’ performance.  Areas subject to review could include errors and omissions in documentation or processes in:

• IT Operations
• Administration 
• Governance
• Physical and Logical Security
• Project Management
• Application Development / System Implementation

Corporations can gain a reasonable sense of assurance when their IT vendor offers their Audit READY Certification of IT services), verifying they are 'audit ready'.   Guidance for remediation of issues IS given, and advice to adhere to industry standards/best practice IS given, unlike SSAE 16 reviews.

IT vendors can offer the certification as an incentive for their new clients to choose them over other, uncertified, IT service vendors. Click for requirements.