SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization (formerly SAS 70). The changes made to the standard will bring aligns with new international service organization reporting standards (ISAE 3402). Razorsight's Annual SSAE 16 report allows our customers around the world to leverage Razorsight's advanced analytics with complete confidence.
SSAE 16 was effective as in June 2011. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in a SOC 1 Report.
Why does Razorsight undergo Annual SSAE 16 (SOC 1) Audits?
If a Company performs outsourced services that affect the financial statements of its customers, it will more than likely be asked to provide an SSAE16 Type II Report, especially if the customer is a publicly traded company.
- Payroll Processing
- Loan Servicing
- Data Center/Co-Location/Network Monitoring Services
- Software as a Service (SaaS) or Cloud-based Applications
Razorsight is a SSAE 16 Attested Company (Replaced SAS 70 Standards)
The control environment at Razorsight begins at the highest levels of the Company and sets the tone for the organization, influencing the control consciousness of our people. It is the foundation for all other components of internal controls and provides employees with Razorsight’s overall philosophy on professional conduct. The control environment provides the framework in establishing reporting and performance monitoring, benchmarking against standards, identifying unsatisfactory performance, and pursuing appropriate action to correct deviations in performance by the organization. Razorsight adheres to these controls in the following ways:
- Risk Assessment – the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
- Information and Communication – systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Control Activities – the policies and procedures that help ensure management directives are carried out.
- Monitoring – processes used to assess the quality of internal control performance over time.
- Organizational Structure – separating authorization, custody, and record keeping roles to limit risk of fraud or error by one person.
- Authorization of transactions – review of particular transactions by an appropriate person.
- Retention of records – maintaining documentation to substantiate transactions.
- Supervision or monitoring of operations – observation or review of ongoing operational activity.
- Analysis of results, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs).
- Information Technology (IT) Security – usage of passwords, access logs, etc. to ensure access restricted to authorized personnel.