Internal Control Attest Services In Accordance With SSAE 16 and AT Section 101

You tell your customers your internal controls are working. Your SOC report helps them to trust you.

As a third-party service organization, many of your prospective customers will want to review the results of your (Service Organization Controls) SOC report prior to making a decision to outsource work to you. An engagement and report on the controls at your service organization will help to establish your credibility and enable your customers to gain comfort with your level of commitment to protecting their information. And in many cases, a documented understanding of your control environment is required by client auditors, chief compliance officers, and others. To remain competitive, you need to demonstrate that adequate internal controls are in place and working.

What happened to SAS 70?
For reporting periods ending on or after June 15, 2011, Statement on Auditing Standards No. 70 (SAS 70) has been replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE 16).  SAS 70 had been in place as an AICPA auditing standard since 1992 and was replaced this year for a variety of reasons including the fact that limitations in the standard had developed over time as the regulatory environment for service organizations changed.  Over time, SAS 70 was used in ways for which the standard had not originally been intended.

SSAE 16
SSAE 16 keeps pace with global accounting standards (specifically ISAE 3402) for reporting on internal controls over financial reporting at service organizations and also provides more information for end-users than had previously been captured in the SAS 70.  A SOC 1 report is issued at the conclusion of an SSAE 16 engagement.

AT Section 101
It’s important to note that SOC 1 reporting, using the SSAE 16 standard, is intended only for reporting on controls over financial reporting.  SOC 2 and SOC 3 reporting is intended for controls outside financial reporting, such as those related to operations and compliance, and is covered by engagements in accordance with AT Section 101.

BBD provides internal control attest services in accordance with SSAE 16 and AT Section 101 for small and medium-size third-party service organizations across the country.

Services provided include:

For reporting on controls relevant to financial reporting:

• SSAE 16 Type I Engagements
• SSAE 16 Type II Engagements

For reporting on controls outside financial reporting:

• AT Section 101 Engagements

Why work with BBD?

• The team’s extensive experience creates an opportunity to add value beyond the SOC report. Each engagement will conclude with suggestions to strengthen your control environment, where necessary. Making continuous improvements to your control environment demonstrates that you are serious about protecting data and information.

• Your internal control attest engagement is not a training ground for junior professionals.  All team members have extensive experience in the assessment of internal controls. An expert team works more efficiently and effectively and is less disruptive to your daily business operations.  You, and your clients, can feel assured that your internal controls are being evaluated by an expert team that understands the critical importance of your SOC report to your business operations.

• Our cost-effective services offer you access to the competitive advantage of a SOC report, which was previously available only to larger companies who could afford big firm fees.

 Can we help you?  Contact John Braun or Jim Kaiser.