How Subservice Organizations Impact SSAE 16 Reports

By: Scott Price, Managing Partner of A-LIGN

Determine whether your SSAE 16 Report is saving your client money or costing them!

With year-end financial audits fast approaching, your clients will soon be requesting your SSAE 16 report. Why? This is because your SSAE 16 reports will allow your client’s financial auditors to determine if they need to perform additional testing or if they can utilize the report for their year-end financial audit. If the latter option happens to be this case, your SSAE 16 report will save your clients both time and money. Now, aren’t you efficient?

The more technical takeaway that you need to understand:

As a reviewer and assessor of SSAE 16 reports, it has become widely recognized that the prevalent use of subservice organizations will only continue to grow, and although this trend is great for business, it could present unique challenges for the usability of your SSAE 16 report.

Here is the challenge:

As companies continue to outsource certain processes, the use of downstream subservice organizations continues to grow as well.

Say, for instance, you are a company that provides managed IT services, but your actual co-location is outsourced to someone else. This would be important for your clients to understand, as their financial auditors would need to assess the controls at the subservice organization and if there is any affect on the company’s internal control over financial reporting.

Another example could be, if you were a claims administrator and the application you use for claims administration is hosted and managed by a third party. This would impact your client’s financials due to the fact that the controls at the subservice organization impact the hosted application and the claims administration process.

What your clients need to understand about your report:

On your SSAE 16 report, your auditor will note, in the opinion letter, whether or not an inclusive or carve-out method was used. This is where your client and their financial auditors will need to pay close attention.

An inclusive method means that your SSAE 16 auditor performed an assessment at the subservice organizations that you utilize, in order to assess the controls that could impact your client’s internal control over financial reporting.

A carve-out method means that your SSAE 16 auditor did not audit the subservice organizations that you utilize, which leaves unmitigated risk over financial reporting.

The inclusive method is what brings additional value to your client, as it should mean that their financial auditor’s have less work to do. However, the carve out method is going to require that your client’s financial auditors will need to assess the role of the subservice organization. If they deem the subservice organization to be material then they will either require a copy of the SSAE 16 report from the subservice organization or need to do additional testing at the subservice organization.