Twitter

SAS 70, SSAE 16, & ISAE 3402 Readiness Assessment Services

Note:  Effective June 15, 2011, all reports on controls at service organizations must be performed in accordance with SSAE 16 and/or ISAE 3402, at which point, the current SAS 70 audit reporting standard will no longer be utilized.  For clarity, the services below denote a “Service Audit” in place of a SAS 70 audit.  Distinction between the two standards is made where required.  

Overview

Readiness Assessments are designed to assist service organizations in assessing their preparedness for a Type 2 SAS 70 / SSAE 16 / ISAE 3402 audit. These services are available exclusively to service organizations that engage our company to perform an audit at a later date.

Unlike a service audit which has the objective of reporting on existing controls, our Readiness Assessment services are designed to identify those controls that should be implemented or improved prior to an actual audit. By executing our proprietary methodology, our Readiness Assessment services provide our clients the following benefits:

  • Client personnel are introduced to SAS 70 Solutions’ methodology and operating procedures.
  • Expectations for the future audit, including time commitments that may be necessary from key client personnel, are clearly communicated.
  • An internal-use-only report is provided to the client that creates the basis for improving the overall control environment.
  • The description of controls is drafted and ready to be used for the subsequent audit.
  • Strengths and weaknesses in the current control structure are clearly communicated to the client.
  • The client has sufficient time to remediate any gaps in the control structure.
  • The client has access to obtain immediate responses from SAS 70 Solutions' professionals regarding the impact potential changes to services or controls may have on the upcoming audit.
  • The scope of the subsequent audit, and specifically the control objectives and related control activities, are refined based upon the Readiness Assessment results.

Scope

The anticipated scope of the eventual service audit is typically used for the purposes of the Readiness Assessment; however, the service organization’s management may elect to modify the scope of the service audit based on the results of the readiness assessment and discussions with the audit team.

Deliverables

The primary deliverables of a readiness assessment include:

  • Detailed project plan for the project
  • Comprehensive questionnaires and an information request list allowing service organization personnel to gather documentation in advance of fieldwork
  • A Readiness Assessment report containing the description of controls for use in the subsequent service audit
  • Any additional reporting requirements specific to the new SSAE 16 and/or ISAE 3402 standards
  • Identification of controls currently in place for each in-scope control objective
  • A prioritized listing of controls that should be considered for implementation or enhancement prior to the execution of the service audit
  • Additional observations and gaps noted during the assessment

Who Should Consider a SAS 70 / SSAE 16 / ISAE 3402  Readiness Assessment?

The following are characteristics of the typical Readiness Assessment candidate:

  • The service organization seeks a cost-effective method to assess its preparedness for an eventual service audit.
  • The service organization has not recently undergone a financial or regulatory audit that included IT controls as a component.
  • The service organization prefers an internal-use-only report for the purposes of identifying any current controls deficiencies.
  • The service organization plans to perform a Type 2 service audit as its initial audit.

      • Please visit our FAQs page to learn more about other audit topics.

Back to Top