Service Organization Controls

SAS 70 / SSAE 16 Audit Services

As more and more companies outsource certain functions to third-party providers, they rely on independent auditors to ensure that the third-parties have proper controls in place and are performing as agreed.

The Statement of Auditing Standard No.70 (SAS 70) provided guidance for independent auditors who issue reports on companies’ transaction processing controls. Recently, the AICPA issued Statement on Standards for Attestation Engagements 16 (SSAE 16), which went into effect June 15, 2011. The change was made in part to bring U.S. reporting standards in line with international reporting standards.

While SAS 70 examinations focused on controls surrounding the specific process under examination, the control environment is also a key component. It has long been part of Barnes Dennig’s standard examination, and it has been incorporated into SSAE 16. This includes personnel policies and procedures, management and Board of Director oversight, risk management procedures, and monitoring of controls in place.

We address each of the following areas in a typical examination:

  • Physical security
  • Internet and infrastructure services
  • Security administration
  • Application security
  • Controls over software changes
  • IT operations
  • Systems and programming
  • Disaster recovery
  • General control environment

Unsure if You Are Ready?

If you need to provide a Service Organization Control report for the first time and aren’t sure if your controls measure up, our Readiness Assessment can help.

We will meet with members of your organization to gain a greater understanding of your operations and business processes, as well as determine appropriate control objectives. Then we will assess how well you are complying with those objectives and offer guidance on ways you can improve.

Our professionals research your existing documentation and use that as the starting point for the report. We can perform any additional documentation that is needed. To minimize the cost to you, we will work closely with you to determine how much you will need from Barnes Dennig during this phase.

As the control objectives and procedures are defined, we will determine testing necessary to verify control effectiveness. Then we will perform a “dry run” – a preliminary test that will assess whether you are ready for an SOC examination.

At this point, most organizations require some improvement to their controls. We will work with you to ensure that the appropriate steps are taken, and we will make sure it is very clear when the Readiness Assessment ends and the attestation engagement begins.

For more information, contact your Barnes Dennig representative at info@barnesdennig.com or 513.241.8313.