KCIC is currently in the midst of our annual SSAE 16 audit. SSAE 16 stands for Statement on Standards for Attestation Engagements No. 16 (SSAE 16) Reporting on Controls at a Service Organization. It was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. The SSAE 16 audit gives authoritative guidance for reporting on service organizations.
The audit is performed by an accounting firm on an annual basis. The purpose of this audit is to ensure that we have the necessary controls in place to keep our clients’ sensitive data safe and secure. Most companies’ internal auditors require that any organization providing services to the company that has control of certain types of data undergo this type of audit.
Our audit is two parts. The first part looks at our physical security of our office space and the security of our servers and access to the data. The second part audits our procedures for intake and processing of new complaints, invoices, monthly billings and payments.
In the first part, the auditors want to ensure that we have reasonable controls in place so that no unauthorized personnel can enter our physical office space or access our databases and servers. This is to limit the possibility of unexpected changes to our client’s data stored in our office or on our server.
In the second part, the auditors confirm that we have strong procedures in place to ensure all complaints received are processed and the correct people are notified, we pay the correct amount for invoices and settlements and pay the correct people, and that we also bill the insurers properly and accurately account for the payments received for those billings. Once the procedures are verified, the auditors sample our daily and weekly activities so that they can see evidence that our procedures are consistently followed.