Confuzzled by SSAE 16 Certifications

19 Mar Confuzzled by SSAE 16 Certifications

My middle school daughter has a new word: Confuzzled. She is confuzzled by her algebra homework, confuzzled as to why I won’t let her have ice cream before dinner, and confuzzled that there was once a time when you had to answer the phone without knowing who was on the other end. Urbandictionary.com says that confuzzled is a merge of the words “confused” and “puzzled”, but it hasn’t made its way to Webster’s yet. I haven’t corrected her for using a word that isn’t actually a word because I think it’s harmless and well, quite frankly, cute.

That being said, I am confuzzled. More and more often I see service organizations claim to be SSAE 16 certified. I’m here to set the record straight. There is no such thing as SSAE 16 certification. Service auditors are engaged to peform an attestation engagement to report on controls at a service organization, which results in the issuance of a Service Organization Controls (SOC) report.

Generally, here is how it works. If a service organization determines that they need to assure their customers (user organizations) that the service organization controls affecting the user organization’s internal control over financial reporting are sufficient and functioning properly, they will engage a qualified CPA to perform an attestation engagement under SSAE 16 guidelines.

For example, it is common that an organization that processes medical claims for health insurance companies would obtain a SOC report to provide assurance about their controls to their customers. The health insurer is responsible for the accuracy of the data provided by the claims processor, so the health insurer should expect the claims processor to provide assurance that they have sufficient controls to ensure the accuracy of the data.

As part of the attestation engagement, the service organization must provide the service auditor with a description of the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities. They must also provide a written assertion that the description of the system fairly presents the system that was designed and implemented, that the controls were suitably designed (Type I Report), and that the controls were operating effectively (Type II Report).

In the Service Organization Controls (SOC) report itself, the service auditor expresses as opinion on the information provided by management. The service auditor also includes a description of their tests of controls and results thereof (Type II) in the report. If a control deficiency is found by the service auditor in testing, they will note an exception in the SOC report. For example, if a service organization claims that they have dual sign off on a particular document and the auditor finds that 3 out of 10 times the second signature is missing from the document, an exception will be noted. Exceptions can, but do not always, lead to a qualified opinion (modification of the standard opinion language indicating issues with the presentation, design and/or effectiveness of one or more of the control objectives).

So, there’s a SSAE 16/SOC 1 engagement in a nutshell. As was the case with SSAE 16’s predecessor, SAS 70, the misconception about certification has been perpetuated in today’s business environment. Just remember that because every service organization is unique, SSAE 16 examinations cannot be standardized and boiled down to a certification. I hope I’ve helped to clear up some of the confuzzlement.