Ask A-LIGN: When receiving our first SSAE 16 audit, if the auditors find minor mistakes, will we have the opportunity to correct them?
By: Scott Price, Managing Partner of A-LIGN
Answer: I hear this question often and, my answer is, “it depends.” I realize this is not the response most of you were hoping for, but I will elaborate.
If your audit is a Type 1 SSAE 16, you can elect to have the review date of the report dated for when the service organization has remediated all deficiencies found in the controls. This is one of the main reasons why service organizations like to start with a Type 1 audit. However, in the same breath, the user community sees the limitations of a Type 1 since it only gives assurance at a specific point in time. It is a snapshot.
Conversely a Type 2 SSAE 16 review is over a period of time (more like a movie), but as the old saying goes, time can be friend or foe. For example, if we test the control activity over daily controls performed, you cannot go back in time and back up any data that was previously in the environment. So, unfortunately the service organization is stuck with the exception, but you are able to respond in the report to elaborate on any controls that have been implemented to ensure the control activity issues were resolved. However, if a terminated employee is found with access to the Windows network, we notify the service organization immediately and take corrective action. Another option would be that, if you were still in the review period, the service auditor would be able to retest the control activity and note in the report that the exception existed and that the remediation was performed. The service auditor would then input the notes in the “Information Provided by the Service Auditor” section providing independent verification that the remediation took place. Please keep in mind that, if the last day of the review period has passed, the service auditor typically cannot include the remediation in their testing. The service organization would be responsible for including any remediation in the “Other Information Provided by the Service Organization” section of the report to let readers know that remediation did in fact occur.
Both timing and exceptions come into play on whether or not you are able to make minor corrections to your report. A Type 1 can be remediated prior to the review date and a Type 2 exception can be remediated, but is dependent upon the nature of the exception and the timing of the testing by the service auditor.
Have questions for our compliance professionals?
Submit them via email to email@example.com.