The Anatomy and Need for an

SSAE 16 AuditThis e-book is designed to help business professionals

understand when they may need an SSAE 16 report

and key factors about the engagement.

We invite you to share your questions and comments

with us on Twitter, on our blog or through email at

SSAE16@auditwerx.com

2

Why Does Your Business Need an SSAE 16 Audit Report? An SSAE 16 Audit is for Your Clients Meeting Your Clients’ Needs Through an SSAE 16 Audit

History of SSAE 16 SOC 1 and SAS 70 Sarbanes-Oxley and the Public Company Accounting Oversight Board SSAE 16 AUDIT REPORT

What is Examined in an SSAE 16 Audit?

Your First and Subsequent Audits How Long is an SSAE 16 Report Relevant?

How Long Does it Take to Complete an SSAE 16 Audit Report? Three Primary Factors in Completing an SSAE 16 Report

Cost Factors of an SSAE 16 Report Type of Business Number of Locations of the Business Number of Employees Number of Applications Your Deadline

The 5 Stage Process to Producing an SSAE 16 Report

About Auditwerx

3

TABLE of CONTENTS

auditwerx.com

6

9

10

12

14

16

18

Your clients expect it.

Your compliance process will be streamlined and ready when a client or prospect requests an SSAE 16 Audit Report.

You will communicate to clients and prospects your compliance with standards and industry best practices.

You create a level playing field with your competitors.

You can be a leader in your industry.

3

WHY DOES YOUR BUSINESS NEED an SSAE 16 AUDIT REPORT?

auditwerx.com

1

2

3

4

5

4auditwerx.com

A Statements on Standards for Attestation Engagements (SSAE) 16 audit enhances your

business. The audit engagement process provides you with a better understanding of the

design and operating effectiveness of your internal control environment. It also provides

you with verification of how your company is performing compared to industry standards

and best practices. This information enables you to improve your transaction processing

and controls when necessary, and positions your company to be more competitive.

The audit report is itself a powerful tool. It provides evidence of compliance with the

American Institute of Certified Public Accountants (AICPA) standard on control

environments—SSAE 16, and it sends a message to your clients and prospects that you

take controls and security seriously.

TALKto an

AUDITOR

888-893-5536auditwerx.com

HISTORY of SSAE 16 SOC 1 and SAS 70

5auditwerx.com

The SSAE 16 Audit is for Your ClientsA successful SSAE 16 Service Organization Controls (SOC) 1 audit results in the creation of

a final report called the Independent Service Auditors Report on Controls at a Service

Organization Relevant to User Entities’ Internal Control Over Financial Reporting. This is

the report you share with your clients to provide them with the auditor’s opinion about

your policies, procedures, and controls in the areas of IT, data security, and transaction

processing.

Meeting Your Clients’ Needs

A client normally requests an SSAE 16 SOC 1 report from you in order to meet their

Sarbanes Oxley Act (SOX), section 404 requirements. Clients may request an SSAE 16

report at any time or for other reasons, but SOX 404 is by far the biggest trigger for these

audit engagements.

"Our company has completed

SAS 70 audits the last several

years with other companies.

We experienced a seamless

transition to Auditwerx and

the new SSAE 16 audit

standard. Auditwerx

organization and leadership

through the auditing process

made our recent audit our

most pleasant to date.“

Matt W., V.P. OperationsResource Benefits Administration Firm

HISTORY of SSAE 16 SOC 1 and SAS 70

6auditwerx.com

The American Institute of Certified Public Accountants first issued SAS 70, the Statement

on Auditing Standards, number 70 in 1992. The purpose of a SAS 70 audit was to enable

service organizations to assure their public company clients that their data was safe.

Auditors analyzed and assessed internal controls within service organizations to

determine if the policies and procedures were sufficient to secure and handle data.

HISTORY of SSAE 16 SOC 1 and SAS 70

Sarbanes-Oxley and the Public Company Accounting Oversight BoardIn 2002, in response to several high profile instances of fraud in public companies, the

U.S. Congress created the Sarbanes-Oxley Act to create a new set of standards for

financial activity in public companies. As part of the new regulations and standards

regarding financial reporting, the Public Company Accounting Oversight Board (PCAOB)

drafted section 404.

7auditwerx.com

Section 404 of Sarbanes-Oxley requires publicly traded companies to test internal

controls that impact data relevant to their financial reporting to ensure transparency and

data integrity. Because the internal controls of a service organization can directly impact

the financial reporting requirements of a company with which they do business, service

organizations that serve public companies are subject to the same level of scrutiny of

their internal controls.

In June 2011, SAS 70 was replaced by SSAE 16, the Statements on Standards for

Attestation Engagements, number 16, designed to enable independent auditors to

provide an opinion on the design and effectiveness of internal controls of service

organizations. An SSAE 16 audit examination results in The Report on Controls at a

Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting

that the organization can share with its clients and their auditors.

HISTORY of SSAE 16 SOC 1 and SAS 70

8auditwerx.com

SSAE 16 AUDIT REPORTThe goal of the SSAE 16 audit examination report is to enable a service organization to

assure its public company clients that their internal controls are designed properly and

do what they say they do. The SSAE 16 audit examination has an independent, third-

party auditor provide an opinion on the design and effectiveness of the internal controls

with a direct impact on another company’s financial statements.

A service company working indirectly with the public company involved may still need an

SSAE 16 report. For example, an outsourcer that does invoicing for the online business of

a public company, due to their involvement in financial transactions, may require an SSAE

16 SOC 1 report to assure their client of the effectiveness of the design and

implementation of their controls and enable them to comply with regulations.

If the invoicing company, in turn, houses all their data with a data warehousing company,

because that data includes the financial data of the original retailer, the invoicing

company will need an SSAE 16 SOC 1 report from the data warehousing company as well.

The control environment of that public company can only be 100% in compliance with

SOX 404 and other applicable regulations if every step in the process and every entity

involved undergoes the same examination process.

"In 2012 when the new SSAE16

requirements were newly

implemented, we began looking

for an agency to perform the

SSAE16 SOC1 audit for

us. ...Auditwerx did an

exceptional job to not interrupt

business while thoroughly

auditing everything we do. The

week of their site visit was

intense and pleasant and our

work continued as normal. I

highly recommend Auditwerx

and welcome any inquiries

about the organization.“

Shae H., Director of Business DevelopmentReceivables Management Company

HISTORY of SSAE 16 SOC 1 and SAS 70

9auditwerx.com

The transactions that are examined for an SSAE 16 report are those that are central to

your business. For example, if you run an employee benefits business the audit

examination could include escrow accounts and processing payments. If you run a tax

processing business, the examination could include reviewing how you collect and

disburse money and make tax payments.

In an SSAE 16 report, we look at several elements of each transaction:

WHAT is EXAMINED in an SSAE 16 AUDIT?

• Initiation of the process

• Authorization of the process

• Recording & logging of the process

• Security measures that are part of the process

• Accuracy of the process

• Timeliness of conducting the process

10auditwerx.com

Once you have gathered all the supporting information for the first audit examination,

you can create a framework for the subsequent period’s future documentation and

storage of the new period specific information to be better prepared for the audit in

subsequent years.

YOUR FIRST and SUBSEQUENT AUDITS

How Long is an SSAE 16 Report Relevant?An SSAE 16 SOC 1 report is a backward-looking report. That means you choose a point in

time and work backward for a period of three to twelve months to review internal

controls. This report is good for one full year from the date of the report. That holds true

whether the report was issued for a 3-, 6-, or 12-month review period.

The report is finalized and dated when the auditor has reviewed and tested all included

controls and received all the necessary documentation from you, the client. Because the

report date is critical to the verification of internal controls for your clients and for

reporting purposes, we recommend that companies begin the engagement 60 to 90 days

before it is needed. This ensures we have time to conduct the audit properly, issue the

report to meet your deadline, and enjoy a smooth process.

11auditwerx.com

Because many companies request an SSAE 16 report from their contracted service

companies to coincide with the end of their own fiscal year, the request may come at an

awkward time for your organization. For example, a client may request the report for a

December 31 close of their fiscal year. If your company has operations that are also

impacted by the end of the year, you may not be able to work on an SSAE 16 audit at the

same time.

If it is more convenient for your company to conduct the SSAE 16 audit engagement

earlier than your clients need the report, an audit gap letter can be issued to extend

coverage to meet your client’s requirements. An audit gap letter extends coverage of the

audit for up to 90 days of operations after the report date. This allows us to conduct the

SSAE 16 audit earlier in the year as in the following example:

The date of your current SSAE 16 report is September 30, 2012 but your

client’s fiscal year ends December 31, 2012 and they need a report to

cover all of 2012. Within six months of the original report date (through

March 30, 2013), the auditor can issue an audit gap letter to extend the

validity of your SSAE 16 report to December 31, 2012 to satisfy the

client’s request.

“This was our first time to go

through this type of audit.

We were carefully guided

through each step of the

process. The entire audit

went very smoothly.”

Kelly T., Project ManagerEmployee Benefits Administration

YOUR FIRST and SUBSEQUENT AUDITS

12auditwerx.com

In general, the audit examination process takes about six to eight weeks, though there

are many factors that can affect how long an actual engagement will take. It is possible to

expedite an SSAE 16 audit examination and complete the report in as few as four weeks

if a company can provide full-time support of several staff members.

HOW LONG DOES it TAKE to COMPLETE an SSAE 16 AUDIT REPORT?

Three Primary Factors in Completing an SSAE 16 Report

Do you have documented policies and procedures?

If your organization has policies and procedures regarding internal controls in place, the

audit process can be quicker than if you have to create new procedures or

documentation for the purposes of the engagement. One advantage of working with an

experienced assurance audit provider is the auditor’s comprehensive system of

templates for any possible policy or procedure. Clients are often able to adjust a pre-

composed policy template to match their unique operations to avoid writing a new

policy or procedure from scratch.

13auditwerx.com

How many controls or procedures does the audit include?

The number and complexity of the controls to be included in the audit affect the length

of the process. All policies and procedures that impact the financial reporting of your

clients must be included. For one organization there may be one or two relevant

procedures while there may be dozens that come into play for another.

How complex are your policies and procedures?

A relatively straightforward procedure like an employee termination procedure may be a

one- or two-page checklist. A more complex policy like an IT security policy may be a 30-

to 40-page document.

Resources Dedicated to the Audit ExaminationIn addition to these three factors that determine the scope of an audit engagement, your

company’s ability to dedicate resources to the project will affect the time needed to

complete the examination. To conduct an SSAE 16 SOC 1 audit examination, an auditor

must work closely with someone in your organization. An SSAE 16 audit examination

typically requires participation and input from the areas of IT, operations, human

resources, finance, and support operations. The amount of time needed with each team

member will depend on the service your organization provides and the number and

types of controls we need to review and test.

"We engaged Auditwerx to

assist us in completion of our

first SSAE16 audit. We found

the Auditwerx staff to be

extremely knowledgeable,

efficient and overwhelmingly

patient and helpful during the

entire process. The ease by

which they navigated us

through our audit was nothing

short of amazing! I would

highly recommend them!"

Jodie D., COOThird Party Benefits Administration Firm

HOW LONG does it TAKE to COMPLETE an SSAE 16 AUDIT EPORT?

14auditwerx.com

The financial cost of an SSAE 16 report varies depending on many factors. Let’s look at

the five primary factors that affect the cost of an SSAE 16 report.

1. TYPE of BUSINESSSome service businesses are more complex than others and have more internal controls

or are impacted by regulatory requirements.

2. NUMBER of LOCATIONS of the BUSINESSAuditors are required to review the main office of a business as well as offices or facilities

that house computer servers involved in the service the organization provides. That may

involve traveling domestically or internationally.

COST FACTORS of an SSAE 16 REPORT

3. NUMBER of EMPLOYEESTo ensure a proper separation of duties, auditors are required to report on

everyone who comes in contact with the transactions and anyone with access

to the data or the money.

15auditwerx.com

4. NUMBER of APPLICATIONSAuditors are required to report on the internal controls for each type of transaction that

impact your clients’ financial information. The auditors test a sample of all transactions

conducted in one year. The more applications you have that are subject to internal

control requirements, the more to test.

5. YOUR DEADLINEThe typical time required to produce an SSAE 16 SOC 1 report is six to eight weeks. It is

possible to produce a report more quickly but an expedited process will be more costly

than a report delivered in a standard timeframe.

For a U.S. or Canada-based service organization with 1 or 2 locations, 25 to 200

employees, and 1 to 3 standard services for their customers, standardized pricing

generally applies.

COST FACTORS of an SSAE 16 REPORT

16auditwerx.com

Auditwerx has developed a five-stage process to help

clients estimate how long their SSAE 16 SOC 1

examination will take. This process includes planning,

preparation, on-site review, audit report draft, and audit

report completion. But this is not a cookie cutter service.

Once the planning stage is complete, we discuss with our

client the scope of the examination, the expected time

frame, and any unique requirements. We work closely

with clients to create a thorough SSAE 16 report that

communicates to your clients that your operations are

secure.

The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT

17auditwerx.com

With our extensive experience, we have streamlined the SSAE 16 SOC 1 report process

for our clients. We take pride in our ability to serve clients efficiently while also getting to

know them as individuals and businesses. Each SSAE 16 SOC 1 audit engagement we

perform proceeds smoothly through each phase of the engagement. Our efficiency is

grounded in the fact that we do not use contractors. Rather, we have the ability to

provide the same audit team from start to finish on all phases of an engagement. This

allows us to understand our client’s operations thoroughly, not just audit them from a

distance. At the end of the day, providing value added guidance and recommendations

to our clients by going beyond the basics of the audit is what’s most important to us at

Auditwerx.

“Initially, we were concerned

about the magnitude of

undergoing a SSAE 16 SOC 1

audit…Auditwerx has a

seamless audit process; it

was so easy to upload the

required documents to their

website, track our progress,

receive feedback and input

and stay on top of the

process. We couldn’t be more

pleased with the audit and

with the overall end product.

Our SSAE 16 SOC 1 report

was amazing.”

Scott B., Certified Public AccountantRetirement Plan Administration

The 5 STAGE PROCESS to PRODUCING an SSAE 16 REPORT

18auditwerx.com

Auditwerx is a trusted partner for service companies that require third-party Certified

Public Accountant (CPA) or Chartered Accountant (CA) auditor assurance engagements to

meet regulatory or customer compliance needs. We are a one-stop resource for U.S.,

Canadian, and International service organization controls examinations.

Our five (5) step process for SSAE, CSAE and ISAE audit engagements along with our

dedication to details is why our CPAs and IT experts have been delivering

quality audit services to a broad array of service organizations exclusively since 2005. To

learn more about the audit process or to discuss arranging an audit engagement, get in

touch with us at 888-893-5536 or email us at SSAE16@auditwerx.com

ABOUT AUDITWERX

An International CPA and CA Audit Firm

Auditwerx - United States3000 Bayport Dr, Suite 480Tampa, FL 33607Office: 888-893-5536Fax: 727-499-6867

Auditwerx - Canada1 Yonge Street, Suite 1801Toronto, ON M5E 1W7Office: 866-320-1859

Our vision is to be recognized as the most trusted provider of audit compliance services, our industry’s employer of choice, and our future shareholders’ investment ofchoice.