What Magneto's Helmet and Non-ICFR SSAE 16 Controls have in Common


Both are designed to mitigate unlikely risks.  For anyone who may not know, Magneto's nemesis, Professor X, has the ability to read minds, and in order to protect his thoughts from being intercepted, Magneto wears a helmet made of lead.  Magneto and Professor X are not real, and neither is the ability to read minds, but judging by many of the controls I see in SSAE 16 reports that are supposed to contain only controls that mitigate the risk of material financial misstatement, I would not be surprised to see a control such as "We use lead-lined drywall in our offices to prevent psychics from seeing us enter our passwords."

Recently I have had opportunities to observe several auditors defend why they believe the controls contained in their client's SSAE 16 reports are relevant to internal controls over financial reporting (ICFR).  The auditors argue that the risk events the controls mitigate are "possible."  I have had to explain, to seasoned auditors in some cases, that just because a risk event is possible, does not mean it is reasonable to conclude a control is ICFR relevant.  I mean, sure, some people believe in psychics, and there is probably anecdotal evidence out there that password sniffing via psychic is "possible," but is jumping from there to a control requirement for lead-lined drywall reasonable?  Of course not.  It is equally unreasonable to say that having fire suppression in your data center will prevent you from materially misstating your financials.

Do we really need to explain that physical security, environmental, and operational controls do not belong in SSAE 16 reports, or is there something more sinister going on?  Why haven't auditors required their clients to remove non-ICFR controls from their SSAE 16 reports as the standard requires for the past two years since the launch of SOC reports?  Could it be that the number of controls that require testing in an audit program directly relate to the audit fees that are justified?  

I remember that in years three or four of Sarbanes Oxley compliance my clients would start "control rationalization exercises" where they would evaluate the risk of a control, in order to justify its removal from the external auditor's scope.  It was easy for management to calculate the value of performing this exercise...total audit fees, divided by the number of controls, equals audit fee per control.  It stood to reason that the more controls you could "rationalize", the lower the audit fee should be.

I believe that most auditors know that it is unreasonable to include physical security, environmental, and operational controls in SSAE 16 reports, but they are unwilling to do anything about it until their clients sign up for SOC 2 engagements.  As long as clients do that, audit fees will increase rather than decrease.  How short sighted is that though?  Requiring clients to remove non-ICFR controls would have created an assurance vacuum that SOC 2 was designed to fill.  As it stands now, auditors who issued non-compliant SSAE 16 reports have a credibility problem.

If you are hearing about SOC 2 for the first time, and are looking to engage an auditor, you should ask to see some of their SSAE 16 work before making that decision.  If you are considering a report other than SOC 2 for assurance pertaining to security, availability, and/or confidentiality, please read my posts on why SOC 2 is a superior report to all others below:  

13 comments:

  1. I agree with your point that the auditor may not push the client to remove non ICRF controls from the report in order to preserve fees; however, this is not always the case. In many instances, the client requests the auditor to include non ICRF controls in the report to demonstrate compliance with certain contractual requirements. This is also a way for them to avoid the expense of a separate SOC 2. The auditors, wanting to keep their clients happy, simply look the other way.

    ReplyDelete
  2. I concur with your point that the inspector may not push the customer to expel non ICRF controls from the report keeping in mind the end goal to safeguard charges; then again, this is not generally the situation. In numerous cases, the customer demands the evaluator to incorporate non ICRF controls in the report to exhibit consistence with certain contractual necessities. This is additionally a path for them to maintain a strategic distance from the cost of a different SOC 2. The examiners, needing to keep their customers glad, essentially look the other way. Thanks!!!
    helmet sticker


    ReplyDelete
  3. This is very important post about a driver. A driver need to use helmet. not only need must be need to use a helmet.Visit here For information about helmet. Here are a couple tips you can think seriously about when purchasing a head protector.

    ReplyDelete
  4. I am curious of possibility to make effective data security audit. How it can be possible for whole if hackers come up with new sophisticated ways to make a breach. I can only say that some systems like virtual data rooms must have more complicated defense on board.

    ReplyDelete
  5. Thanks for sharing the valuable information here. So i think i got some useful information with this content. Thank you and please keep update like this informative details.

    SAS Training

    ReplyDelete
  6. The bike helmet is intended to ensure the leader of a stun and weakened effects to the skull of a cyclist in falls. Regardless of the fact that the helmet is evidently not harmed, it can be delicate and broke in spots that are not unmistakable. Ride with a head protector that has officially gotten a stun can be exceptionally unsafe on the grounds that no more assume a defensive part.

    ReplyDelete
  7. Cruiser devotees have a wide assortment of decision with regards to selecting the privilege Harley head protectors. Maybe the most essential criteria, in any case, while picking the ideal protective cap is to guarantee a legitimate fit.

    ReplyDelete
  8. I was exactly searching for. Thanks for such post and please keep it up. Great work bell rogue motorcycle helmet

    ReplyDelete
  9. Motorcycle enthusiasts have a wide variety of choice when it comes to selecting the right Harley helmets. Perhaps the most important criteria, however, when choosing the perfect helmet is to ensure a proper fit.

    ReplyDelete
  10. If you are an experienced rider or even possibly a new rider, you will need to buy a new helmet at some point in time. Shopping for a new helmet, the selection of helmets for you to choose from can be overwhelming. There are some important details you will want to look for before choosing a helmet.

    ReplyDelete
  11. If you are going for a high quality face shield, you might be surprised at how expensive they can get. However, they will offer several benefits, such as being scratch resistant, and having UV protection. http://www.motorcyclesafer.com/

    ReplyDelete