If your service organization’s controls directly—or will eventually—affect your client’s internal controls regarding financial reporting, it is highly likely that you need to perform an SSAE 18 audit. Any time that you offer specialized services, such as SaaS or a cloud suite of offerings, and you have access to the client entity’s customer information, an SSAE 18 report is an organic part of such an engagement.
The purpose of this reporting framework is to allow you to demonstrate that your organization has proper internal controls and processes in place to address matters of information security and underlying compliance risks.
How to Prepare for an SSAE 18 Audit
So, basically, if you are reading this post, you probably have some SOC assessment preparation on deck. You may feel some stress, whether it is your first time going through the process, or if you are concerned about some looming issue. No need to worry or get bogged down with stress because we have come up with our top nine steps to help you prepare for a smooth SSAE 18 examination.
Map Your Client’s Internal Controls.
It sounds simple enough, but this step is important. Before you start gathering information and formally preparing for your SSAE 18 audit, review everything you know about the client entity. Also, make sure to ask questions about anything that will help your audit run more smoothly. Key information you need includes the type of business your client runs, the industry or market in which they specialize, the operating environment they use, and their general service offerings. Knowing your client’s particulars can help you align your internal controls to theirs more easily.
Visit the client’s website to review their services then read their mission statement to understand their overriding vision. Remember to also review your signed contract, which will offer a great deal of in-depth guidance. If you still have questions or concerns, call your client contact directly. This type of communication may have the added bonus of building a stronger relationship in the long run, showing your diligence in protecting their customer information.
Review Policies and Procedures.
Your written policies and procedures have it all laid out for you to use as a guidepost. Taking a step back to when you developed your policies and procedures, make sure that they are written down, typed in and saved for your regular updates and review. However, you most likely did all of that, so go ahead and pull up your formally written and fully documented collection of policies and procedures. They are paramount because they serve as the baseline against which you will compare the results of your SOC audit.
Inform and Train Employees.
This step goes directly along with your written policies and procedures, which mean little if your employees and managers are not on board and following them. Make sure you have documented all training sessions for all employees, providing answers to the following types of questions:
- Did all staff attend?
- Did staff understand the materials?
- Did staff have specific questions on key concerns?
- Did all staff sign an attendance form, as well as a form indicating understanding of the materials?
- Have staff members made errors relating to training, indicating that there was some possible lapse in communication that you might need to clarify?
The answers to these questions can help you understand why certain errors might have been made, as well as where your team is excelling.
Perform a Risk Assessment.
Most compliance and information security frameworks, audits, standards and regulations require some type of risk assessment. A formal risk assessment, performed with the assistance of a trusted auditing firm, is the best way to officially kick off your SOC audit preparation. Once you have performed your risk assessment, you can easily identify any risks in your control environment, which allows you to implement internal controls more reasonably and with optimal control.
Define the Scope of Your SSAE 18 Audit.
Defining the scope of your SSAE 18 audit helps you figure out your overall goals. Essentially, what do you want to learn from this audit? Decide whether you will focus on physical locations, a relevant testing period, and which specific personnel need to participate in the audit.
Outline Regulatory Obligations.
Certain industries are more heavily regulated than others, such as healthcare and payment cards. You may also be subject to certain regulations or standards, based on where your business—or your client’s business—is domiciled or where your client’s customers are located. You may be subject to compliance for one or more of the following regulations and standards:
- HIPAA/HITECH for the healthcare industry
- PCI DSS for the payment card industry
- GDPR for businesses serving customers living in one of the member states within the European Union
- CCPA for businesses working with customers residing in California
- NERC CIP standards associated with the Bulk Power System across North America
There are many additional standards and regulations, so make sure to review your contract, reach out to your client, or talk to your auditor to make sure you have everything covered.
Analyze Vendor Management Practices.
Working with your trusted vendors is essential to your business operations, but you need to ensure that their practices align with those of your new client’s. While you understand and have adapted to the risks involved, it is important that you take a closer look at how acceptable those risks are, in accordance with your contract with your client. Any business that you work with that may have some degree of access to your networking system should vet their employees by performing background checks. You may also ask for a signed non-disclosure statement and periodically review their compliance status regarding regulatory requirements and information security.
Review Service Delivery Controls and Quality Assurance.
It is important that you do not overlook any operational risks that might affect your service delivery controls to your client. Make sure to map out your plans to always ensure service delivery through the creation of a data flow diagram that depicts the life cycle of your service delivery model, associated with the client for whom you are performing the SSAE 18 audit.
Check Your Controls.
We thought we might compile the “controls” matters into one section. Let’s take a closer look at each relevant control to see how you can best prepare:
- Physical Controls – These controls cover restricting access to your business’s physical environment. You might draw on your records regarding how people enter and exit your facility and how carefully you track visitors while they are on the premises. It is particularly important to limit access to any areas where your clients’ files and data stores are accessible.
- Security Controls – Security controls involve CIA, which stands for Confidentiality, Integrity and Availability. You must document any occurrence that a client’s information has been compromised, whether through theft or some type of physical damage.
- Availability Controls – These types of controls involve things like Business Continuity and Disaster Recovery Plans in case of some type of natural or human-induced disaster or situation that may limit access to your client and their files. Additional availability controls to keep on your radar include network monitoring and data backups.
Do You Need Some Help Preparing for a SSAE 18 Audit?
It is no secret that SSAE18 audits seem extremely complex when first getting started. Also, there are simply some steps that—for some reason—consistently trip up different service organizations. Add in the fact that you and your team are trying to juggle daily responsibilities with this important multi-step auditing process, and it makes sense that you might have questions or could use some reinforcements during preparation.
At I.S. Partners, LLC., our auditors have decades of collective experience working in this arena. Let us pitch in to help you streamline the process with the above-mentioned steps and much more, specific to your service organization. We’ll help you develop a consistent plan that builds confidence with each SSAE 18 assessment.