How to Convince Leadership to Undergo an SSAE 16 Examination
Certainly, the primary reason service organizations undergo a Statement on Standards for Attestation Engagements 16 examination is to respond to customer demands. Although waiting until the customer asks may make good business sense, proactively undergoing the examination can offer the service organization many benefits. Yet even with the inherent benefits, the SSAE 16 examination can be difficult to sell to executive management. Here are the top five reasons those managers should choose to undergo an SSAE 16 examination.
- Bolster Trust and Confidence. The SSAE 16 examination enables a service organization to provide its customers with detailed information about their system. This includes a CPA’s report on its controls that impact internal controls in financial reporting. When this report is provided on an annual basis, it can deliver a remarkable level of assurance to customers. In contrast, not being able to provide this report can be detrimental to business because CPAs auditing customers’ financial statements will expect to be able to obtain and use an SSAE 16 report as part of the audit. Simply put, many clients won’t even consider a service organization that hasn't undergone an SSAE 16 examination.
- Independent Opinion. As an independent report on a service organization’s controls, potential and existing customers hold this report in high regards. During the SSAE 16 examination, the independent CPA tests and validates the design and effectiveness of the service organization's processes, policies, and procedures that affect a customer’s financial statements. In addition, the successful completion of the SSAE 16 examination enables executive leadership to assure customers that the organization’s processes meet the stated level of compliance. Many customers consider this to be a necessity, and an SSAE 16 report conveys the organization's level of quality in an easily recognizable format.
- One Exam for Multiple Requests. A single SSAE 16 examination fulfills many customers’ requests. In the absence of an SSAE 16 report, customers’ auditors will have to find an alternative method of obtaining evidence about controls at the service organization (perhaps by visiting the service organization and performing their own tests), which can create an unnecessary strain on the customers’ resources. An SSAE 16 report provides each customer and auditor with access to uniform information, which in many cases satisfies the auditor’s need for evidence.
- Make Management More Responsible. The SSAE 16 standard includes a requirement for management of the service organization to provide the CPA with a written assertion in which management of the service organization acknowledges its responsibility for the services it provides, as well as other matters. As a result, management must take a more active role in the process and develop a more vested interest in the outcome. The new vested responsibility of management commonly provides customers with an additional level of confidence because of the top-down perspective.
- Offer a Competitive Advantage. In the highly competitive global services marketplace, competing organizations are constantly trying to differentiate themselves from other providers. Considering two equal service organizations, potential customers will be more willing to conduct business with a vendor who has proactively undergone an SSAE 16 examination. The ubiquitous nature of the SSAE 16 examination causes customers to question vendors who are unable to provide these reports.
SSAE 16 examinations have become a necessary helpful tool for service organizations to assess their processes. Most impressively, these reports invite potential customers to inspect a service organization's systems through the lens of an independent party. Simply put, the entire process entailed in a SSAE 16 examination offers a significant value added service that is easily recognized and well received by customers.
Avani Desai, Vice President, BrightLine CPAs & Associates. Avani has more than 10 years of experience in IT attestation, risk management, compliance and privacy.