Cloud Computing and the Need for a SSAE 16 (SOC 1) or SOC 2 Audit Report in Today’s Competitive Market

May 17, 2012 Off By David

Grazed from PRWeb. Author: PR Announcement.

SSAE 16 Professionals has unveiled a specialty service line focusing on SSAE 16 (SOC 1) and SOC 2 reports for cloud computing companies. Cloud computing can be thought of as web-based tools or applications that users can access and use through a web browser as if the programs were installed locally on their own computers. Companies are increasingly seeking cloud service providers to reduce costs in their own business. By running applications through the cloud, a company can eliminate the costs associated with buying, maintaining, and securing the hardware to run the applications while maximizing the application’s potential to store data on remote servers. Cloud computing is also scalable, which is beneficial to fast growing companies who may need to ramp up staff quickly over the next several years. With so much emphasis and reliance on controls at the cloud computing provider, having a SSAE 16 or SOC 2 is not only recommended, but it is almost mandatory in today’s competitive marketplace…

“Many cloud computing companies are choosing SSAE 16 Professionals to perform their SSAE 16 audit because of our personalized approach,” says Jim Jimenez, Managing Partner at SSAE 16 Professionals. “We have a unique blend of expertise coupled with good old fashioned client service.”

Industry Need

SSAE 16 (SOC 1) Reports, which have effectively replaced SAS 70 reports, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SOC 1 reports retain the original purpose of SAS 70 by providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reporting. The Sarbanes-Oxley Act (SOX) requires publicly traded companies to perform an annual financial statement audit, which includes key processes that may impact the company’s financial statements. If these public companies outsource one of these key processes to your company, you will need to undergo an SSAE 16 (SOC 1) audit. The SSAE 16 report can eliminate the need for your company to be subject to multiple audits from your customers and their respective auditors, most likely eliminating the need for your company receiving multiple visits from your customers’ auditors, which can place a huge strain and operational burden on your company’s limited resources.

In the past, SAS 70 reports encompassed financial reporting controls, operational controls, and compliance controls. SSAE 16 SOC 1 reports, which have effectively replaced SAS 70 reports, will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 SOC 1 reports can no longer be used for any other purpose except for reporting on the system of internal control for purposes of complying with internal control over financial reporting. For reports that are not specifically focused on internal controls over financial reporting, the AICPA has issued an interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC 2 audit reports. SOC 2 reports will focus on controls at a service organization relevant to one or more of the following Trust Services principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SSAE 16 (SOC 1) and SOC 2 Type I and Type II Audit Reports

SSAE 16 Professionals completes both SSAE 16 (SOC 1) and SOC 2 Type I Audit Reports and SSAE 16 (SOC 1) and SOC 2 Type II Audit Reports.

SSAE 16 and SOC 2 Type I Reports – A report on policies and procedures placed in operation as of a specified point in time. SSAE 16 and SOC 2 Type I Reports evaluate the design effectiveness of a service provider’s controls and then confirms that these controls have been placed in operation as of a specific date.
SSAE 16 and SOC 2 Type II Reports – A report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SSAE 16 and SOC 2 Type II Reports include the examination and confirmation steps involved in a Type I examination plus include an evaluation of the effectiveness of the controls for a period of at least six calendar months. Most user organizations require their service provider to undergo the Type II level examination for the greater level of assurance it provides.

SSAE 16 and SOC 2 Readiness Reviews

Additionally, many service organizations undergoing the SSAE 16 or SOC 2 audit for the first time choose to perform a SSAE 16 or SOC 2 Readiness Assessment. SSAE 16 and SOC 2 Readiness Assessments are consulting engagements that are designed to assist service organizations in assessing their preparedness for a SSAE 16 or SOC 2 audit. SSAE 16 Professionals works collaboratively with management teams to perform a detailed readiness review and provide a gap matrix that identifies controls that would pass right away, controls that would partially fail, and controls that would fail and require remediation (in priority order with recommendations for remediation). Some firms go right into the SSAE 16 or SOC 2 audit and realize there are issues which result in a qualified opinion. By that time, the service organization has spent a lot of time and money only to get a qualified report (which is useless to both the service organizations and its clients).

Benefits of Performing a SSAE 16 or SOC 2 Audit

There are many benefits of performing an SSAE 16 or SOC 2 audit, including:

Annual Investment – Many companies view SSAE 16 and SOC 2 audits as an annual investment with a proven ROI, increasing the service organization’s prospective client base, organizational productivity, customer retention and accountability.
Financial Audit Requirement for Public Companies – Auditors of a user entity’s Clients will increase their scrutiny of the “system of internal control” during their audits of the financial statements (Sarbanes-Oxley), which will result in more requests for service organization’s SSAE 16 report.
Competitive Advantage – SSAE 16 and SOC 2 reports can be a key differentiator to a service organization’s prospective clients.
One Time Audit – Avoids user auditors (auditors of user entities clients) continuously contacting the service organization’s personnel for separate audits throughout the year. Rather, a service organization’s clients request and rely on the SSAE 16 or SOC 2 report.
Increased Trust and Transparency with Customers – Customers are more likely to trust a service organization with their data or performing an important business process on their behalf because they will have the ability to review the SSAE 16 or SOC 2 report and verify the effectiveness of the service organization’s controls. This allows the service organization’s customers to manage their risks and exposures while outsourcing key business services to the service organization.
Increasing Organizational Efficiencies and Cost Reductions – SSAE 16 Professionals takes a consultative approach to each engagement, allowing the firm to “think outside the box” and provide value added recommendations to improving a service organization’s business.
Build Efficiencies with RFP’s – if a service organization receives RFP’s throughout the year from client prospects, an SSAE 16 or SOC 2 can reduce the overall effort in completing the RFP. Client prospects are concerned with risks to their information, many of which will be independently tested within the SSAE 16 or SOC 2 report. Additionally, if a service organization does not perform an SSAE 16 or SOC 2 and the RFP includes a question requiring the report, the service organization faces the possibility of being eliminated from the bidding process, even if they are the most qualified service provider.

The SSAE 16 Professionals Difference

SSAE 16 Professionals differentiates itself from local, regional, national, and “Big 4” CPA firms in several distinct ways

Experience – SSAE 16 Professionals’ leadership team has over 80 years of business management, operations and related information technology (IT) experience.
Resources – SSAE 16 Professionals’ detailed and collaborative approach also helps to identify opportunities for improvement within client operations. SSAE 16 Professionals’ proven methodology, flexible delivery methods, efficient economic operating model and focus on adding value for clients is evident in everything SSAE 16 Professionals does.
Personal Touch – the partners and managers at SSAE 16 Professionals take a very active role in each engagement. SSAE 16 Professionals does not disappear after the proposal process.
Fixed Fee Engagements – many firms quote a low fee with a lot of assumptions and then hit the client with change orders when the work inevitably takes longer. SSAE 16 Professionals’ quote is set in stone (fixed fee), and SSAE 16 Professionals will write off any excess time to get the work done properly (any time incurred on top of the fixed fee would be a first year investment in hopes of establishing a long-term SSAE 16 relationship with clients).
Full Readiness – SSAE 16 Professionals does a full/complete SSAE 16 readiness run through of all controls/areas and provide detail on what needs to be done to pass every test.

CategoryNews

IBM Expands Global Cloud Capabilities with Advanced SmartCloud Services and New Customer Adoption

Numerix Recognized for Pricing, Insurance and Cloud Computing Innovation by Structured Products Magazine