SSAE 16 (PREVIOUSLY SAS 70) & AGREED UPON PROCEDURES

Success depends on the ability to manage information used to drive core business processes. Common solutions now include full outsourcing of IT operations, outsourcing of specialized technology and applications, and use of co-location facilities. The impact associated with inaccurate or delayed transaction processing, loss of data, or compromise of customer information by a third-party service provider can negatively impact a company’s operations and reputation.

The AICPA (American Institute of Certified Public Accountants), through Statement on Auditing #70, established the SAS 70 audit report to provide information on the design and effectiveness of a company’s control environment. SAS 70 will be replaced by a new standard, SSAE 16, effective for reporting periods dated on or after June 15, 2011. Companies subject to compliance with Sarbanes-Oxley and the Graham-Leach-Bliley Act and those with strong vendor management programs are relying on SAS 70 audits to understand the effectiveness of their service providers’ internal controls.

Companies often subject to SAS 70 / SSAE 16 include financial transaction processors, software vendors, third-party administrators, HR and benefits processors, and application service providers.

Dixon Hughes Goodman Can Help
Our experienced professionals have performed SAS 70 / SSAE 16 audits for companies of various sizes in a number of industries. We understand the value of your time and have tailored an audit approach to minimize the impact on your daily activities.

Benefits of a SSAE 16 Audit

The benefits of a third-party servicer having a SSAE 16 audit performed include:

• Provides existing customers with information on the internal control environment, including the operating effectiveness of controls.
• Can be used by a customer’s financial statement auditor to determine reliance on controls in place at the service provider.
• Eliminates the need for multiple customers to perform onsite audits.
• Satisfies a requirement by many companies that an audit of internal controls be in place at their service provider.
• Indicates to potential customers a commitment to internal controls and transaction processing integrity.

• Internal Audit Resource Assistance
• IT & Operational Risk Assessment & Consultation
• Information Technology Audits (FFIEC Compliance Exams)
• Assistance with Documenting & Testing SOX-Related IT Controls
• SSAE 16 & Agreed Upon Procedures
• Network Security / Vulnerability Assessments
• Merger & Acquisition IT Due Diligence