As you may already know, the SAS 70 audit specification has been replaced by a new SSAE 16 specification. Big Sky recently completed our annual audit and we are proud to say that we are now compliant to the standards set forth in the new SSAE 16 specification. This marks our 7th year of compliance with AICPA certification.

What does this mean for our customers?

It means that we continue to provide safe, secure services to our customers that relate to financial transactions (i.e. Work Orders, Electronic Invoicing, Cap-ex Projects). Our compliance with the SSAE 16 ensures that this transactional data is held in a secure computing environment that can only be accessed by authorized users. Furthermore, our compliance is required by most public companies using our software.

Read more about the SSAE 16 and Big Sky’s audit and compliance standards.

What exactly is the SSAE 16?

The SSAE 16 is an Independent Service Auditor’s Report on a Description of a Service Organization’s System and Suitability of the Design of Controls using the American Institute of CPAs (AICPA). SSAE 16 = Statement on Standards for Attestation Engagements 16.

New characteristics:

1. Management attestation – SSAE 16 is not an audit standard, but an attest standard. Going forward Big Sky’s management must attest in writing regarding the fair presentation and design of controls. SAS 70 was an audit standard and did not require the Big Sky’s management to attest in the report. Only the auditors attested. Big Sky provided a representation letter, which was not included in the audit report. Big Sky’s management has provided a description of the company’s service delivery system controls and control objectives and has attested in writing that: 1) the system description fairly represents the controls in place; 2) the described controls are suitably designed to meet their objectives; and 3) if it’s a Type II assessment, that the controls operated effectively. The auditors will examine the controls to form their own opinion, which they will report in the audit report. The attestation holds Big Sky’s management directly accountable.
2. Suitable criteria for evaluation – Big Sky’s management must use suitable criteria for evaluating the company’s service delivery system, specify in the attestation which criteria were used, and use criteria from a widely recognized standard or criteria developed with a reasonable level of rigor, i.e., objective, measurable, complete, relevant.
3. Evidence from prior engagements is disallowed – Auditors gather evidence for each internal control being assessed. Under SAS 70, auditors could use evidence gathered in prior audits to save time. SSAE 16 prohibits such use of prior evidence.
4. Disclosure of reliance on internal auditors – Under SAS 70, auditors could rely on the internal auditor’s tests of controls. Disclosure of such reliance was not required. SSAE 16 requires full disclosure of reliance on internal audits and the company will need to provide a detailed description of any internal audit activities, processes, tools and conclusions.
5. Restrictions on report use – SAS 70 restricted the use of the audit report to company management, customers, and financial statement auditors. SSAE 16 narrows the restrictions regarding customers to customers at the time of the report date for a Type I report, and for a Type II to customers during the report period. This is basically stopping the report being used for anyone who happens to be a customer to more narrow focus of customers in scope of time of the report.
6. Included vs. excluded subservice providers – If the inclusive method is chosen for reporting on sub-service organizations, under SSAE-16 it will now be required for the sub-service organization’s management to write their own attestation, which is included in the super-organization’s assessment.

Unchanged characteristics

1. Scope of the assessment – the service organization decides which controls are pertinent to service delivery.
2. System description – Like the SAS 70, SSAE 16 relies on management’s written description of system controls and the objectives the controls are designed to meet. For each objective, the activities must be described for each control. Auditors collect evidence for each activity claim.
3. Type I and Type II reports – Type I is point in time, while Type II covers a stated time period.
4. Basic Format of the Audit Report – contains an auditor’s opinion letter, system and controls description including control environment, risk assessment and management, information and communication systems, general controls, application controls and monitoring procedures. It also includes user control considerations (what is the user responsible for) and any other relevant information.
5. Assessment Process – auditors provide their opinion on the validity of the service organization’s description of controls. They review control objectives and activities to verify that they exist and are designed as described.

Big Sky has always taken our customer’s security and control requirements very seriously, and ensuring that our processes and controls are audited to rigorous standards provides a high level of comfort to both our customers and to the thousands of vendors and contractors who use our systems.

Read more about the SSAE 16 and Big Sky’s audit and compliance standards on our Audit and Compliance page.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Name *

Email *

Website

CAPTCHA Code *

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>