Compliance
The SSAE 16 Auditing Standard
SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help Razorsight compete on an international level; allowing companies around the world to leverage Razorsight's advanced analytics with complete confidence.
SSAE 16 is effective as of June 15, 2011. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.
Why does Razorsight undergo annual SSAE 16 (SOC 1) Audits?
If a Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), it will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:
- Payroll Processing
- Loan Servicing
- Data Center/Co-Location/Network Monitoring Services
- Software as a Service (SaaS)
Razorsight is a SSAE 16 Attested Company (Replaced SAS 70 Standards)
The control environment at Razorsight begins at the highest levels of the Company and sets the tone for the organization, influencing the control consciousness of our people. It is the foundation for all other components of internal controls and provides employees with Razorsight’s overall philosophy on professional conduct. The control environment provides the framework in establishing performance standards, reporting and performance monitoring, benchmarking against standards, identifying unsatisfactory performance, and pursuing appropriate action to correct significant deviations in performance by the organization. Razorsight achieves this in the following manner;
- Risk Assessment – the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
- Information and Communication – systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Control Activities – the policies and procedures that help ensure management directives are carried out.
- Monitoring – processes used to assess the quality of internal control performance over time.
- Organizational Structure – separating authorization, custody, and record keeping roles to limit risk of fraud or error by one person.
- Authorization of transactions – review of particular transactions by an appropriate person.
- Retention of records – maintaining documentation to substantiate transactions.
- Supervision or monitoring of operations – observation or review of ongoing operational activity.
- Analysis of results, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs).
- Information Technology (IT) Security – usage of passwords, access logs, etc. to ensure access restricted to authorized personnel.
