The SSAE 16, formerly known as the SAS 70, is an examination of the business processes that can influence a company’s financial statement. The report is typically shared with entities that have a vested interest in the financial health of the company. In our case, these entities included card-issuing partners, payment transaction processors, large retail merchants, and investors. Having recently completed an examination, questions regarding the scope are fresh in my mind.
The auditor reminded me that the scope is a function of something called Internal Control over Financial Reporting (ICFR). If it doesn’t impact ICFR, it’s not in scope. By the way, here’s a shout out to Daniel Kugel and Jamie Kilcoyne at K Financial – thanks for the great work guys!
Depending on your perspective, this is either the blessing or the curse of the SSAE 16. Management has a great deal of latitude in determining the processes that are relevant and have a significant impact on financial reporting. The stronger your security or compliance person, the more this flexibility is a blessing. Someone with intimate knowledge of your business model is in the best position to determine which processes are most relevant and have the most impact on financial reporting.
Here are some examples of processes that were in scope at my former employer. Follow the money!
- Merchant billing.
- Member reward payout.
- Donations to charities.
Other processes are not directly related to cash flow, but to the systems supporting cash flow.
- The loyalty management system that performs the processes listed above. Note that if your system is hosted by a third party, the vendor is in scope as well. You have the option of making the vendor part of your SSAE 16, or making the vendor do its own SSAE 16. The latter is more common.
- ACH and check records of billings and payments.
And yet other processes are not directly related to cash flow or systems, but still impact ICFR.
- Merchant activation – the step after the sale that enables rewards tracking and billing.
Clearly, these processes are unique to the business model. A good auditor will try to gain an in-depth understanding of the business model before designing the controls that will be in scope, but the company security or compliance person has the edge.