Blow the dust off those SSAE 16 Reports

By: (CISSP, CISA)

Publication: The Kansas Banker , April 2014

Kansas Banker Magazine April 2014 Many financial institutions have become very reliant upon service providers for a myriad of banking operations, such as core processing, remote deposit capture, online banking, card processing, or data backups to a cloud provider. Financial institutions depend on these organizations to accurately process transactions and securely store customer nonpublic data in accordance with reasonable internal controls.

A common method for service providers to demonstrate a controlled environment is to issue a SSAE 16 report, which is produced by an independent audit firm. The collection and review of SSAE 16s usually falls to one of many positions at a financial institution; maybe someone in Compliance, IT, Internal Audit or maybe even Finance. Unfortunately, it frequently falls to an employee who wears multiple hats (especially at small institutions), and has little time to deal with this task. Financial institutions are typically aware they are supposed to collect these documents, but sometimes don’t understand how to address reviews of these documents. They know the reviews are important, but the length, number and complexity of these documents sometimes reserves them for a dusty shelf, where they may not get the necessary consideration.

SSAE 16 reports can be lengthy and hard to understand, and it can be difficult to find the relevant information in these documents. However, even though SSAE 16s can be complex, the regular review of these documents need not be, if you know the important parts to review. Before starting SSAE 16 report reviews, develop a simple form that can be used to document each SSAE 16. Better yet, there may already be one available on the Internet that could be used with some simple adjustments. This form will provide a framework for you to review each report consistently. It will also allow external auditors to easily and clearly validate SSAE 16 reviews.

While there are many important attributes of an SSAE 16 to review, at a minimum, the following areas should be covered in the SSAE 16 review process:

  1. The overall opinion of the service provider. In laymen’s terms, the “Opinion” is the independent audit firm’s overall rating of the service provider. In a nutshell, an “Unqualified” opinion is good and a “Qualified” opinion is bad. A report that is “Qualified” means internal controls were not operating effectively for one or more control objectives. A “Qualified” report should immediately raise a red flag and follow-up with the service provider would be warranted, if the financial institution has not already heard from the service provider. A “Qualified” report is fairly rare, thus the red flag. On the SSAE 16 review form, simply document the opinion status granted for the SSAE 16. Reviews of “Qualified” reports should include some additional verbiage on actions taken by the institution regarding the service provider.
  2. Exceptions identified in the report and management (service provider) responses to cited exceptions. For many SSAE 16 reports, the service provider will provide a “management response” to cited exceptions directly in the report (typically in the test table section towards the end of the report). The financial institution should review these responses to ensure the service provider has satisfactorily responded to exceptions. On the SSAE 16 review form, list the number of tests that had exceptions in relation to the total, and whether or not the service provider responded appropriately to each exception.
  3. Evaluation of the financial institution’s compliance with user controls in the SSAE 16 report. The vast majority of SSAE 16 reports cover controls implemented by the service provider, but one small section of SSAE 16 reports typically called either “User Control Considerations” or “Entity Control Considerations” lists the expected complementary controls at the user organization (financial institution). The financial institution should be reviewing its own internal compliance with these controls. The list of User/Entity Control Considerations in SSAE 16 reports is usually fairly short, commonly 1-3 pages of controls.

    To validate user/entity controls, other personnel will likely need to be engaged to help validate controls are in place, as many of the controls will invariably be operational or IT security oriented. On the SSAE 16 review form, list the user/entity controls and the status of the bank’s compliance with each control.

Financial institutions should also pay attention to the systems, applications or processes covered by the SSAE 16 report. Ensure the report adequately describes and tests relevant controls to cover the system in use by the institution.

It’s time to take care of that annual dusting.