Unlike many other compliance subjects where the certification or attestation is point in time, SSAE 16 type II is a period of time attestation. The chosen US based CPA firm not only wishes to verify control implementation but more so on consistency and rigor for the last 6 months.

If you are considering the journey here is what you need to do:

Start with enterprise/information risk assessment: This can not involve your external risk but also your internal risks. Any event/threat that can jeopardise the organisation operation should be identified as part of this. This exercise can be anywhere between 3 weeks to 6 weeks depending on the size and complexity of the organisation.

Define control framework: A framework starts with creation of an enterprise team such as (but not limited to) risk management committee, chief risk officer or a security manager, and department heads. Each one of these roles and their functions need to be documented in a formal roles and responsibilities document that shows their alignment with whether they are part of risk identification role and/or risk management role.

Chose one or more International best practices that suits your enterprise risk

A series of international standards exist that can be used as a means to reference material for implementation (not exhaustive)

  • Enterprise Risk Management (ISO 31000)
  • Quality Management System (QMS) – ISO 9001
  • Information security Management System (ISMS) – ISO 27001/ISO 27002
  • Business continuity management (BCM) – ISO 22301/ISO 24762
  • IT Governance – COBIT 5/ISO 28000
  • ITIL Service management (ITSM) – ISO 20000

Documentation – policy, procedure and processes

Based on your choice and applicability you may then need to write individual policies that govern your organisation risk. Enterprise policy on risks, information risks, risk registers are some of common enterprise documents that are created. At the department levels policies and procedures are created to ensure minimisation of fraud (Such as change management, access management) are also created. The range of documents that shall be created can be anywhere between 30-50 policies depending upon your risk assessment and encompass all part of the business operation.

Perform internal audit

Internal audit should be done ideally by an independent team in order to verify the completeness

Maintain an annual program to keep the momentum

Note that SSAE 16 attestation is an enterprise program not a project that will come to an end at a certain specific point, so management should ensure that policies so defined are now part of every business life cycle whether it involves new customer acquisition or hiring new employees. One simple way is through incentive to employees.

Outcome and benefit

The resultant outcome is a system of people, processes and technology that demonstrates control environment in the organisation. This will be of great value to your existing and future customers.

Want to know more about difference between SSAE type I and type II read this blog:


Hope this helps!

Author : Probal C