SSAE16 – The Price of Admission

I freely admit that the phrase “price of admission” sends a shiver down my spine as my son is within a year of heading to college and my bank account is already feeling trimmer. Yet, that price of admission is for another blog in another industry… In the HR Technology industry the “price of admission” can be summed up in one simple collection of letters and numbers, SSAE16 – The Statement on Standards for Attestation Engagements Number 16. In this day and age of heightened security and identity thefts, it is irresponsible for a service and/or technology organization that handles key employee data (SSN, Date of Birth, Salary, etc) to not have received a stamp of approval from an independent auditor following prescribed standards. As you’ll see below, for the work that we perform on behalf of our clients, any HR technology company with whom we work must meet this bare minimum requirement – we consider it the price of admission! My hope is that anyone reading this blog is familiar with this accounting audit standard (formerly known as SAS70), but in case you are not I’ll provide a quick overview and some background/detail on why it is so critically important today. SSAE16 is the audit standard set forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Essentially, it is an independent audit of a service organization to ensure that the security (physical and otherwise) of the systems is appropriate, that the systems being audited are managed appropriately, that there are adequate levels of security testing, and that the overall infrastructure is sound, secure, and stable. Sounds like a pretty good idea for your payroll company to have, right?!? You’d be surprised at how many service organizations look past this audit or feel they are covered through partnerships. Surprised may be the wrong term. Horrified is likely more appropriate. When you ask your payroll, HR, benefits administration, time and attendance or other HR technology provider whether they have an SSAE16 audit, here are a few things for which you should listen…

  • If your provider states that their data center has an SSAE16 audit and they are covered by that, you should dig deeper. While it is certainly a good thing for a provider’s data center to have an SSAE16 audit, it doesn’t pass the price of admission test for a service organization. Part of the SSAE16 test is looking at the controls of the service organization, not just the data center. So, press on your provider and ask them why they don’t feel their organization needs to test their own security processes;
  • If your provider states that they have a Type I audit, ask them why they didn’t get a Type II. A Type I audit is a “point in time” audit. The auditors come in on a particular day and as long as they meet all the requirements that day, they pass. In my opinion, anyone can look good for a day. It is like brushing your teeth the day you go to the dentist, but ignore oral hygiene the other 364 days. That doesn’t work with your dentist and it shouldn’t work for you when data security is considered.
  • If your provider states that they have an SSAE16 audit, your next question should be to ask whether they received a qualified or unqualified opinion. In this case, a qualified opinion is a bad thing. That means that they qualify their statements with concerns. An unqualified opinion means that they do not qualify their opinion and that the organization is meeting the stated standards.

Don’t get me wrong, by no means am I stating that an organization with a Type II SSAE16 audit (unqualified opinion) can’t have a data breech. It isn’t an insurance policy. It is, however, a strong indicator on the quality of the organization and the importance it places on data security and controls. Without it, there won’t be any admission into a MillsonJames-run evaluation, that much is certain. Let’s Advance HR together!

Leave a comment

Questions, comments, or ready to Advance HR through Technology?

Contact us now.