What are SSAE 16 Reports and - ASMC · What are SSAE 16 Reports and How do I Use Them to Support my...

What are SSAE 16 Reports andHow do I Use Them to Support my

Audit and A-123 Compliance?

Presentation to ASMC PDI

May 29, 2015

Agenda

• Internal Controls Over Financial Reporting

- Internal Control Definition

- Management’s Responsibility

• Gaining Comfort Over Service Organization Controls

- OMB Circular A-123 (Appendix A) Requirements

- Financial Statement Audit Requirements

• Using SSAE 16 Reports

- Background and Purpose of the SSAE 16 Report

- DoD Service Organizations and SSAE 16 Reports

- Structure of the Report

- Subservice Organizations

- Evaluation of CUEC’s

- Exceptions, Responses, and Other Considerations

• Questions2

Internal Controls Over

Financial Reporting

Internal Control: Definition

The GAO Green Book (GAO-14-704G) defines the standards for

internal control in the federal government.

Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.

An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved.

These objectives and related risks can be broadly classified into one or more of the following three categories.

• Operations - Effectiveness and efficiency of operations

• Compliance - Compliance with applicable laws and regulations

• Reporting - Reliability of reporting for internal and external use

4

Internal Control: Management’s Responsibility

Oversight Body - The oversight body is responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing management’s design, implementation, and operation of an internal control system.

Management - Management is directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity’s internal control system.

Personnel - Personnel help management design, implement, and operate an internal control system and are responsible for reporting issues noted in the entity’s operations, reporting, or compliance objectives.

External auditors and the office of the inspector general (OIG), if applicable, are not considered a part of an entity’s internal

control system.

FMFIA requires federal executive branch entities to establish internal

control in accordance with these (GAO Green Book) standards. 5

Service Organizations

Management may engage external parties to perform certain operational processes for the entity, such as accounting and payroll processing, security services, or health care claims processing. For the purpose of the Green Book, these external parties are referred to as Service Organizations.

Therefore, management needs to understand the controls each Service Organization has designed, has implemented, and operates for the assigned operational process and how the Service Organization’s internal control system impacts the entity’s internal control system.

If controls performed by the Service Organization are necessary for the entity to achieve its objectives and address risks related to the assigned operational process, the entity’s internal controls may include Complementary User Entity Controls (CUECs) identified by the service organization or its auditors that are necessary to achieve the service organization’s control objectives.

Management retains responsibility for the performance of processes

assigned to Service Organizations.


6

We can’t assume the other organization has it covered.


Service Provider(s)

Reporting Entity

• Service Level Agreements (SLAs)

• Memos of Understanding (MOUs)

• Communicate, Communicate, Communicate

7

Gaining Comfort Over Service

Organization Controls

Gaining Comfort: A-123 Requirements

Evaluating Controls of Cross-Servicing Providers and Service Organizations

When evaluating the controls in place at cross-servicing providers or Service Organizations, the Senior Assessment Team should determine the extent of procedures needed, which may include:

A. User Organizations Test the Controls

• Performing tests of the entity’s controls over the activities of the cross-servicing organization or service organization (e.g., re-performance of selected items processed by the cross-servicing organization or service organization, or reconciling output reports with source documents); or

• Performing tests of controls at the cross-servicing organization or Service Organization; or

B. Service Organization Controls Report

• Obtaining a service auditor’s report on controls placed in operation and tests of operating effectiveness (e.g., Type II SSAE 16 report) or a report on the application of agreed-upon procedures that describes the relevant tests of controls.

Test it yourself or obtain an opinion from an independent auditor.9

Gaining Comfort: Audit Requirements

OMB Bulletin 14-02 (Effective October 21, 2013)

• Supersedes the provisions in OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, and OMB Technical Bulletin 08-24, Technical Amendments to OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements.

In addition to the requirements set forth in AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, for those Service Organization controls that are relevant to the audit and have been suitably designed and implemented, service organizations must:

A. Allow user auditors to perform tests of controls at the Service Organization; or

B. Provide its user organizations with an audit report (referred to as a type 2 report) on whether: (1) management's description of the Service Organization's system fairly presents the Service Organization's system that was designed and implemented throughout the specified period, (2) internal controls were suitably designed to achieve the specified objectives and implemented throughout the specified period, and (3) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified; or

Each financial statement auditor tests themselves or

obtain an SSAE 16 (SOC 1 – Type II) opinion.10

Background and Purpose

What is an SSAE 16 Report?

• A Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is an independent third party report identifying the control structure, policies, and procedures of a service organization.

• An SSAE 16 is internationally recognized as an industry standard in providing user organizations and their auditors comfort surrounding the service organization’s internal controls.

• Management’s report on internal control, describing the control environment, risk assessment, control activities, information, and communication and monitoring.

• SSAE 16 reports are also referred to as AT 801 and SOC 1 reports.

Recognized standard for providing user organizations and their auditors

comfort relating to Service Organization Controls.12

What are the Key Benefits?• A SSAE 16 report may eliminate or significantly reduce the

requirement for the company’s auditor to do additional testing of a

service provider’s controls.

• An auditor to auditor communication which provides reliance to

support the financial statement audit at user organizations.

• A reduction in service organization audit hours and business

interruption by user organization auditors.

• A SSAE 16 shows a demonstration of proactive control and the ability

to highlight controls over new/enhanced products or services.

The degree to which redundant testing may be reduced is influenced by

the scope and period covered by the SSAE 16.13

Using SSAE 16 Reports

Overview

• Provides management and user entities with an opinion on:

- Fair presentation of the system description,

- Controls related to the control objectives are suitably designed, &

- Controls related to the control objectives are operating effectively.

• Report covers controls relevant to user entity’s financial statements

DFAS Civilian Pay Army

Navy

Air Force

USMC

Other Defense Organizations

SSAE 16 Report(s)

DISA Enterprise Computing Services

DFAS Standardized Disbursing

Defense Civilian Personnel Data System

DISA Automated Time & Attendance Production System

SSAE 16 reports minimize redundant testing of Service Organization

controls by user entities and their auditors.15

DoD Service Providers and SSAE 16 Reports

The Department has a number of SSAE 16 examinations underway

and has received several unmodified opinions.

Civilian Pay DCPS Unmodified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 14, 2015 Yes Oct 2015 - Jun 2016 Aug 12, 2016

Military PayDJMS-AC, DJMS-RC, DMO (Legacy),

DMO (Web)Unmodified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 17, 2015 Yes Oct 2015 - Jun 2016 Aug 17, 2016

Standard Disbursing ServiceADS, ADS IPAC MegaWizard,

22 MicroAppsUnmodified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 14, 2015 Yes Oct 2015 - Jun 2016 Aug 12, 2016

Contract PayMOCAS, EAS, EUD (APVM / PPVM),

SCRT, BAM ERMPUnmodified Nov 2013 - Apr 2014 Yes Oct 2014 - Jun 2015 Aug 14 2015 Yes Oct 2015 - Jun 2016 Aug 15, 2016

Financial Reporting DDRS (AFS, B, DCM), 8 MicroApps Modified Mar 2014 - Nov 2014 Yes Dec 2014 - Jul 2015 Sept 15, 2015 Yes Oct 2015 - Jul 2016 Sept 15, 2016

Fund Balance With Treasury (DCAS) DCAS N/A N/A No N/A N/A Yes Jan 2016 - Jun 2016 Aug 15, 2016

Fund Balance With Treasury (DRRT) DRRT, 1 MicroApp N/A N/A No N/A N/A Yes Jan 2016 - Jun 2016 Aug 15, 2016

DCPASDefense Civilian Personnel Data System

(DCPDS)DCPDS Modified Oct 2013 - Jun 2014 Yes Oct 2014 - Jun 2015 Aug 15 Yes Oct 2015 - Jun 2016 Aug 15

DCMA Contract Pay MOCAS, eTools Modified Feb 2014 - Oct 2014 Yes Feb 2015 - Jul 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15

Projected

Reporting Period

for FY 16

System(s)

Included

SSAE 16

for FY 16?

Current DoD SSAE 16s Updated April 13, 2015

FY 2014Assertion Status FY 2016

Expected

Report

Issuance Date

FY 2015

Projected

Reporting Period

for FY 15

Expected

Report

Issuance Date

FY 14

OpinionAssessable Unit

Service

Provider

Current Reporting

Period or Projected

DFAS

SSAE 16 for

FY 15?

16


The Department has a number of SSAE 16 examinations underway

and has received several unmodified opinions.

Wide Area Work Flow - Invoices Receipt

Acceptance and Property Transfer (WAWF

- iRAPT)

iRAPT Modified Mar 2014 - Aug 2014 Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15

Defense Agency Initiative (DAI) DAI Modified Jan 2014 - Jun 2014 Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15

Defense Automatic Addressing System

(DAAS)DAAS Modified Sep 2013 - Feb 2014 Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15

Defense Travel System (DTS) DTS N/A N/A Yes Oct 2014 - Jun 2015 Sept 15 Yes Oct 2015 - Jun 2016 Aug 15

MilDeps Owned Items in DLA Custody DSS N/A N/A No N/A N/A Yes Oct 2015 - June 2016 Aug 15

Enterprise Information Services (FY14

Scope)Mechanicsburg, Ogden, Oklahoma City Unmodified Oct 2013 - Jun 2014 N/A N/A N/A N/A N/A N/A

Enterprise Computing Services (FY 15-16

Scope)

Mechanicsburg, Ogden, Oklahoma City,

MontgomeryN/A N/A Yes Oct 2014 - Jun 2015 Jul 31 Yes Oct 2015 - Jun 2016 Jul 31

Automated Time Attendance and

Production System (ATAAPS)ATAAPS N/A N/A Yes Oct 2014 - Jun 2015 Jul 31 Yes Oct 2015 - Jun 2016 Jul 31

AT&LDefense Property Accountability System

(DPAS)DPAS Unmodified Oct 2013 - Jun 2014 Yes Jul 2014 - Jun 2015 Aug 15 Yes Jul 2015 - Jun 2016 Aug 15

U.S.

Bancorp

Corporate Payment Systems

U.S. Bank Freight Payment Transaction

Procerssing System

Syncada Unmodified Oct 2013 - Sept 2014 Yes Oct 2014 - Sept 2015 Nov 15 Yes Oct 2015 - Sept 2016 Nov 16

Projected

Reporting Period

for FY 16

System(s)

Included

SSAE 16

for FY 16?

Current DoD SSAE 16s Updated April 13, 2015

FY 2014Assertion Status FY 2016

Expected

Report

Issuance Date

FY 2015

DISA

Projected

Reporting Period

for FY 15

Expected

Report

Issuance Date

FY 14

OpinionAssessable Unit

Service

Provider

DLA

Current Reporting

Period or Projected

SSAE 16 for

FY 15?

17


Attestation / Audit Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept.

ODO Examination Period

ODO FS Audit Period

SSAE 16s

DFAS - Civilian Pay

DFAS - Military Pay

DFAS - Disbursing

DFAS - Contract Pay

DFAS - Financial Reporting

DFAS - FBWT (DCAS)

DFAS - FBWT (DRRT)

DCPAS - DCPDS

DCMA - Contract Pay

DLA - iRAPT (WAWF)

DLA - DAI

DLA - DAAS

DLA - DTS

DLA - SOIDC

AT&L - DPAS

US Bank - SYNCADA

DISA - ATAAPS

DISA - ESD

Fiscal 2014 Fiscal 2015 Fiscal 2016

OPINION TBDUNMODIFIED OPINION

MODIFIED OPINION OPINION TBD OPINION TBD

OPINION TBD

UNMODIFIED OPINION

UNMODIFIED OPINION

OPINION TBD

OPINION TBDOPINION TBD

OPINION TBD OPINION TBD

UNMODIFIED OPINION OPINION TBD OPINION TBD

OPINION TBDMODIFIED OPINION


OPINION TBDOPINION TBDMODIFIED OPINION




2013 2014 2015 2016

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

OPINION TBDOPINION TBDUNMODIFIED OPINION

OPINION TBD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

OPINION TBD

OPINION TBD

OPINION TBD

OPINION TBD

GAP PERIOD

GAP Period

GAP Period

NO SSAE 16

NO SSAE 16

NO SSAE 16

MODIFIED OPINION GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

OPINION TBD OPINION TBDMODIFIED OPINION


SSAE 16 reports will continue to be obtained in subsequent fiscal years.18

Structure of the Report

What are the Key Terms?

Key Terms Definitions

Control Objective

Statements intended to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.

Control Activity Policies and procedures at a service organization that may affect a user organization’s internal control structure and the assertions in its financial statements.

Operating Effectiveness

How a control is applied, the consistency with which it is applied, and by whom it is applied. Testing is performed by the service auditor to validate the operating effectiveness of key controls.

Service Auditor The auditor who reports on the processing of transactions by a service organization.

Service Organization

The entity (or segment of an entity) that provides services to the user organization.

User Organization

The entity that has engaged a service organization and whose financial statements are being audited.

The Service Auditor performs the SSAE 16 for the Service Organization.20

Report Breakdown

Section 1 Report of Independent Auditor – Opinion on the design and operating effectiveness of controls and their ability to meet the control objective.

Section 2 Management’s Assertion – A written assertion by management of the service organization about the service organization’s system that was designed, implemented, and operated effectively throughout the specified period.

Section 3 Service organization’s description of systems – The description of controls should contain aspects of the service organization’s control environment, risk assessment, information and communication, monitoring of controls, and control activities that may impact the services provided to user organizations. This section may also include control objectives and related controls, description of information technology systems and controls narratives and user controls.

Section 4 Service organizations control objectives and related controls and independent service auditors test of controls and results of tests –This section lists out the control objectives, control activities, types of tests performed by the independent auditor, and results of the tests performed by the independent auditor.

Section 5 Other information provided by the service organization – Additional information which the service organization may desire to include in the report, which are not included within the scope of the audit opinion (e.g., business continuity / disaster recovery planning).

Section 4 provides detailed information regarding the controls in place at

the Service Organization and results of testing.21

Types of Tests

• Inquiry - Inquire of appropriate personnel to obtain knowledge and additional information regarding the control and corroborating evidence of the control. (Usually employed to validate non-key or low risk controls).

• Observation - Observe the flow of transactions through the system, observe personnel performing day to day functions and applying controls, and review relevant documents and records as necessary.

• Inspection - Inspect a sample of documents and records which indicate or evidence the performance of controls.

• Reperformance - Test a sample of transactions and other items through re-performance of the control or processing application (e.g., ITF, CAATs).

The degree of testing is significantly more rigorous than required by

internal certification and accreditation.22

Audit Opinions

• Unqualified opinion

- Ideal result: States that the control system is fairly presented and designed as well as operating effectively

- Achieved by having adequate controls in place and having no or minimal control exceptions found in testing

• Qualified opinion

- States that, except for the effects of the matter(s) to which the qualification relates, the control system is fairly presented and designed as well as operating effectively

- Can be triggered by lacking efficient controls or by having multiple control exceptions

An unqualified opinion doesn’t mean no action is required and a qualified

opinion doesn’t mean all hope is lost.23

Audit Opinions (continued)

• Adverse opinion

- States that the report does not present fairly the control system.

• Disclaimer opinion

- States that the auditor does not express an opinion.

• Emphasis of Matter

- Typically is used to inform user that a control did not operate during the period and therefore, the control objective cannot be achieved.

- Also used to provide information about a subsequent event or other matter that does not result in qualification but needs to be disclosed to the user.

Disclaimers or Adverse opinions have the most severe impact on

Service Organization control reliance.24

Subservice Organizations

Definitions

• Subservice Organization

- A service organization used by another service organization to perform some of the services provided to user entities that are relevant to those user entities' internal control over financial reporting.

• Vendor and Other Service Providers

- Similar to subservice organizations, but they are not required to achieve any of the control objectives.

We should consider the degree of interaction as well as the nature and materiality of the transactions processed by the service organization and the subservice organizations to determine the significance of the service organization's and subservice organization's controls to the user entity's controls. If we determine that the services provided by the subservice organization are relevant, we should obtain the subservice organization’s SOC 1 report and evaluate it in the same manner that we evaluated the service organization's SOC 1 report.

Subservice Organization controls must also be considered.26

Examples of Subservice Organizations

• DFAS, DLA, DCMA, AT&L, use the services of DISA (Enterprise Computing Services) for application hosting.

• The description includes only the controls and related control objectives of the Service Organizations and exclude the control objectives and related controls of DISA Enterprise Computing Services.

• Auditors examination did not extend to controls of DISA Enterprise Computing Services.

Subservice Organization reliance is pervasive in DoD.27

Evaluation of CUECs

Complementary User Entity Controls

• A service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorizing the transactions before they are sent to the service organization for processing.

• We should determine whether the complementary user entity controls identified by the services organization are relevant in addressing the risk of material misstatement relating to the relevant assertions in the financial statements and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.

• User auditor is responsible for testing controls related to CUEC’s that are in place at the user organization

(CUECs)

CUECs can impact reliance on the SSAE 16 report.29

Examples

Domain User Entity Controls

Applicable to

Reporting Entity

Description of User Entity Control(s)

(or Justification of Non-Applicability)

Payroll Related Data/File Maintenance and

Input: Personnel Actions

Control Objective 8 - Controls provide

reasonable assurance that payroll data,

including personnel and payroll

adjustments, is received from authorized

sources, and is input into DCPS completely,

accurately, and timely.

All changes to the DCPS MER are approved by

appropriate user entity management before

submission for payroll processing.









If a pseudo Social Security Number (SSN) is created,

it has been authorized by appropriate user entity

management and, if necessary, is accurately tied to a

primary and valid SSN.









All personnel actions are properly authorized and

completely and accurately entered into DCPS or the

interfacing system by the user entity HROs on a

timely basis.









The user entity HRO ensures employees that have

no future payroll payment have submitted the

proper notification to DCPS to stop payroll payment

in a timely manner.

DFAS - FEDERAL CIVILIAN PAY SERVICE

Significant attention has been placed on identifying the CUECs.30

Examples (continued)DFAS – Financial Reporting

Reference #

Domain User Entity Controls

Responsible Party

(DFAS or Reporting Entity)Comments Proposed new wording*

KSDs Recommended to address CUEC

1 Access Controls Reporting entity new Financial Reporting CUEC

Logical access to computer terminals

and/or other computer devices, used to

access DDRS, which are located at and/or

administered by user entities, is restricted

to authorized user entity staff.

1. System Authorization Access Request form (e.g.,

DD 2875) authorizing network access

2. Common Access Card authorization

3. Policies and procedures relating to user access,

computer issuance, and CACs.

4. Listing of system users and their privileges

2 Access Controls Reporting Entity new Financial Reporting CUEC

Physical access to workstations and/or

other computer devices used to access

DDRS that are located at and/or

administered by user entities is restricted

to authorized user entity staff.

1. System Authorization Access Request form (e.g.,

DD 2875) authorizing network access

2. Common Access Card authorization




3 Security ManagementUser entity is responsible to ensure their staff received appropriate security awareness training (Control

Objective 1)Reporting Entity Revised CUEC wording

User entity staff receives appropriate

security awareness training.

1. Listing of user entity employees and training

record




4. Policies and procedures relating to security

training

4 Security ManagementUser entity is responsible to ensure that requests for DDRS user accounts are submitted only for those

staff appropriately approved to receive access. (Control Objective 1)Reporting Entity Revised CUEC wording

User entity staff access to DDRS has been

duly authorized by an appropriate

member of user entity management.




3. DD 2875's

4. List of authorized approvers/submitters

User Entity Control Considerations Relevant to Financial Reporting and/or DDRS

DFAS - Financial Reporting SSAE16 COMPLEMENTARY USER ENTITY CONTROLS SUMMARYRed Text = DFAS ResponsibilityOrange Text = Dual ResponsibilityBlack Text - Entity Responsibility

Unless otherwise specified, DDRS refers to DDRS-B, DDRS-AFS, and

DDRS-DCM.

Efforts have been made to solicit user entity input.31

Exceptions, Responses, and

Other Considerations

Responding to Exceptions Identified in SSAE 16 Reports

Understand the risk and how it may be mitigated.33

Auditee


Management’s (Service Organization’s) response

Management’s response to the identified exception(s) is often included in the unaudited section of the report, which means that the auditor did not test or verify that the information provided by management is accurate.

The user entity and their auditor can use management’s response to assist in determining the status of exceptions / remediation, but simply referencing management’s response is typically not sufficient.

Additional testing may be required by the user entity and their auditor.34


GAP Period

The Service Organization and Service Auditor must balance the competing needs of maximizing the period covered versus delivering the SSAE 16 report in time for it to be useful to the user entities and their auditors.

Attestation / Audit Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sept.

ODO Examination Period

ODO FS Audit Period

SSAE 16s

DFAS - Civilian Pay

DFAS - Military Pay

DFAS - Disbursing

DFAS - Contract Pay

DFAS - Financial Reporting

DFAS - FBWT (DCAS)

DFAS - FBWT (DRRT)

DCPAS - DCPDS

DCMA - Contract Pay

DLA - iRAPT (WAWF)

DLA - DAI

DLA - DAAS

DLA - DTS

DLA - SOIDC

AT&L - DPAS

US Bank - SYNCADA

DISA - ATAAPS

DISA - ESD

Fiscal 2014 Fiscal 2015 Fiscal 2016

OPINION TBDUNMODIFIED OPINION

MODIFIED OPINION OPINION TBD OPINION TBD

OPINION TBD

UNMODIFIED OPINION

UNMODIFIED OPINION

OPINION TBD






OPINION TBDOPINION TBDMODIFIED OPINION




2013 2014 2015 2016

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

OPINION TBDOPINION TBDUNMODIFIED OPINION

OPINION TBD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

OPINION TBD

OPINION TBD

OPINION TBD

OPINION TBD

GAP PERIOD

GAP Period

GAP Period

NO SSAE 16

NO SSAE 16

NO SSAE 16

MODIFIED OPINION GAP PERIOD

GAP PERIOD

GAP PERIOD

GAP PERIOD

OPINION TBD OPINION TBDMODIFIED OPINION


35


GAP Period

• As a result, SSAE 16 reports do not typically cover all twelve months of the fiscal year resulting in a gap period.

• The user entities and their auditors will need to perform some additional procedures to obtain comfort Service Organization controls continued to operate effectively during this period.

• It is typical for user entities and their auditors to obtain some comfort for the gap period by requesting a “Bridge Letter” but this alone may not be sufficient.

Additional testing may be required by the user entity and their auditor.36

Questions

What are SSAE 16 Reports and - ASMC · What are SSAE 16 Reports and How do I Use Them to Support my...

Documents

Transcript of What are SSAE 16 Reports and - ASMC · What are SSAE 16 Reports and How do I Use Them to Support my...