You've been asked for an SSAE 16. Now what?
At a recent debt collection industry event I was asked numerous times: Do I really need to undergo an SSAE 16 audit?
It's a common request, especially if you work with financial institutions. However, the short answer to the question is, it depends.
All too often, misaligned business and/or compliance objectives drive a requirement from which neither the requester, nor the requested of, receives any actual benefit. In fact, a perception of compliance that doesn’t actually exist can create additional risk for the organization. The SSAE 16 is a prime example of this.
There's one big question you need to ask prior to pursuing an SSAE 16...
What are you really being asked to verify and report on?
An SSAE 16, or SOC 1 as it is formally called, is an audit of internal controls over financial reporting at a service organization. In other words, this audit examines how the service provider handles their client’s money.
As such, the SSAE 16 targets service providers that provide a financial service of some kind. This is particularly appropriate for those who offer debt collection services.
For example, if a user organization such as a lender needs third-party assurance that your agency’s financial reporting of its recovery activities is accurate, then the answer to our title question is yes.
Is the request for SSAE 16 information security related?
Now if the lender is asking for an SSAE 16 in order to validate your agency's information security controls, then they are doing so in error. Why? Because the SSAE 16 is specifically designed NOT to report on information security controls.
Herein lies the rub. Virtually every conversation I have had with businesses in the Accounts Receivable Management (ARM) industry has revealed that the requested purpose of the SSAE 16 is to validate information security controls.
Why audits should be aligned with your risk profile.
The sad reality is that lenders and debt buyers regularly perform their own financial reporting audits—something which the SSAE 16 is meant to replace! But then they request an SSAE 16 for information security assurance, which it was never meant to provide. In this all-too-common scenario, service providers pay big bucks to receive an audit their user organizations don’t need, while the user organization checks a box for which they have no real assurance.
It’s time for service organizations and the user organizations they serve to take a fresh look at their respective assurance vehicles and mutually agree upon which third-party audit reports will actually meet their risk-reduction objectives.
For financial reporting, most consider SSAE 16 appropriate. However, nowhere in the legislation is SSAE 16 or any other audit report specifically called out. Rather, it is up to the user organization to determine which third-party audit is appropriate based on the unique risk the service provider poses, given the nature of the services they provide.
Now, about information security...
If information security assurance is the actual goal, what are the appropriate third-party audit reports? And more importantly, could your organization consolidate the audits it's conducting or undergoing to save valuable time and money? The answer is yes! Click here learn more.