What Magneto's Helmet and Non-ICFR SSAE 16 Controls have in Common


Both are designed to mitigate unlikely risks.  For anyone who may not know, Magneto's nemesis, Professor X, has the ability to read minds, and in order to protect his thoughts from being intercepted, Magneto wears a helmet made of lead.  Magneto and Professor X are not real, and neither is the ability to read minds, but judging by many of the controls I see in SSAE 16 reports that are supposed to contain only controls that mitigate the risk of material financial misstatement, I would not be surprised to see a control such as "We use lead-lined drywall in our offices to prevent psychics from seeing us enter our passwords."

Recently I have had opportunities to observe several auditors defend why they believe the controls contained in their client's SSAE 16 reports are relevant to internal controls over financial reporting (ICFR).  The auditors argue that the risk events the controls mitigate are "possible."  I have had to explain, to seasoned auditors in some cases, that just because a risk event is possible, does not mean it is reasonable to conclude a control is ICFR relevant.  I mean, sure, some people believe in psychics, and there is probably anecdotal evidence out there that password sniffing via psychic is "possible," but is jumping from there to a control requirement for lead-lined drywall reasonable?  Of course not.  It is equally unreasonable to say that having fire suppression in your data center will prevent you from materially misstating your financials.

Do we really need to explain that physical security, environmental, and operational controls do not belong in SSAE 16 reports, or is there something more sinister going on?  Why haven't auditors required their clients to remove non-ICFR controls from their SSAE 16 reports as the standard requires for the past two years since the launch of SOC reports?  Could it be that the number of controls that require testing in an audit program directly relate to the audit fees that are justified?  

I remember that in years three or four of Sarbanes Oxley compliance my clients would start "control rationalization exercises" where they would evaluate the risk of a control, in order to justify its removal from the external auditor's scope.  It was easy for management to calculate the value of performing this exercise...total audit fees, divided by the number of controls, equals audit fee per control.  It stood to reason that the more controls you could "rationalize", the lower the audit fee should be.

I believe that most auditors know that it is unreasonable to include physical security, environmental, and operational controls in SSAE 16 reports, but they are unwilling to do anything about it until their clients sign up for SOC 2 engagements.  As long as clients do that, audit fees will increase rather than decrease.  How short sighted is that though?  Requiring clients to remove non-ICFR controls would have created an assurance vacuum that SOC 2 was designed to fill.  As it stands now, auditors who issued non-compliant SSAE 16 reports have a credibility problem.

If you are hearing about SOC 2 for the first time, and are looking to engage an auditor, you should ask to see some of their SSAE 16 work before making that decision.  If you are considering a report other than SOC 2 for assurance pertaining to security, availability, and/or confidentiality, please read my posts on why SOC 2 is a superior report to all others below:  

54 comments:

  1. I agree with your point that the auditor may not push the client to remove non ICRF controls from the report in order to preserve fees; however, this is not always the case. In many instances, the client requests the auditor to include non ICRF controls in the report to demonstrate compliance with certain contractual requirements. This is also a way for them to avoid the expense of a separate SOC 2. The auditors, wanting to keep their clients happy, simply look the other way.

    ReplyDelete
  2. I concur with your point that the inspector may not push the customer to expel non ICRF controls from the report keeping in mind the end goal to safeguard charges; then again, this is not generally the situation. In numerous cases, the customer demands the evaluator to incorporate non ICRF controls in the report to exhibit consistence with certain contractual necessities. This is additionally a path for them to maintain a strategic distance from the cost of a different SOC 2. The examiners, needing to keep their customers glad, essentially look the other way. Thanks!!!
    helmet sticker


    ReplyDelete
  3. This is very important post about a driver. A driver need to use helmet. not only need must be need to use a helmet.Visit here For information about helmet. Here are a couple tips you can think seriously about when purchasing a head protector.

    ReplyDelete
  4. I am curious of possibility to make effective data security audit. How it can be possible for whole if hackers come up with new sophisticated ways to make a breach. I can only say that some systems like virtual data rooms must have more complicated defense on board.

    ReplyDelete
  5. Thanks for sharing the valuable information here. So i think i got some useful information with this content. Thank you and please keep update like this informative details.

    SAS Training

    ReplyDelete
  6. The bike helmet is intended to ensure the leader of a stun and weakened effects to the skull of a cyclist in falls. Regardless of the fact that the helmet is evidently not harmed, it can be delicate and broke in spots that are not unmistakable. Ride with a head protector that has officially gotten a stun can be exceptionally unsafe on the grounds that no more assume a defensive part.

    ReplyDelete
  7. Cruiser devotees have a wide assortment of decision with regards to selecting the privilege Harley head protectors. Maybe the most essential criteria, in any case, while picking the ideal protective cap is to guarantee a legitimate fit.

    ReplyDelete
  8. I was exactly searching for. Thanks for such post and please keep it up. Great work bell rogue motorcycle helmet

    ReplyDelete
  9. Motorcycle enthusiasts have a wide variety of choice when it comes to selecting the right Harley helmets. Perhaps the most important criteria, however, when choosing the perfect helmet is to ensure a proper fit.

    ReplyDelete
  10. If you are an experienced rider or even possibly a new rider, you will need to buy a new helmet at some point in time. Shopping for a new helmet, the selection of helmets for you to choose from can be overwhelming. There are some important details you will want to look for before choosing a helmet.

    ReplyDelete
  11. If you are going for a high quality face shield, you might be surprised at how expensive they can get. However, they will offer several benefits, such as being scratch resistant, and having UV protection. http://www.motorcyclesafer.com/

    ReplyDelete
  12. Taking both into consideration should guide you to the best choice of helmet for your given purpose and needs. Safe and happy riding! Helmet Now

    ReplyDelete
  13. It has been simply incredibly generous with you to provide openly what exactly many individuals would’ve marketed for an eBook to end up making some cash for their end, primarily given that you could have tried it in the event you wanted.
    Java Training in Marathahalli

    ReplyDelete
  14. Expected to form you a next to no word to thank you once more with respect to the decent recommendations you've contributed here.
    hadoop training in chennai

    ReplyDelete
  15. It has been simply incredibly generous with you to provide openly what exactly many individuals would’ve marketed for an eBook to end up making some cash for their end, primarily given that you could have tried it in the event you wanted.

    Data Science Training in Bangalore

    ReplyDelete
  16. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.
    AWS Training in Bangalore

    ReplyDelete
  17. spammy blog m8t

    ReplyDelete
  18. It has been just unfathomably liberal with you to give straightforwardly what precisely numerous people would've promoted for an eBook to wind up making some money for their end, basically given that you could have attempted it in the occasion you needed.Nebosh Course in Chennai

    ReplyDelete
  19. I strongly believe that there will be great opportunities for those who looked into this site, thanks much for sharing the useful information keep on sharing...
    Best Online Software Training Institute | Oracle Training

    ReplyDelete
  20. Wow...!! This Post is so intriguing that now i want to know more about this topic. Waiting for your next Post..!! MSR Xpedition LX Helmet

    ReplyDelete
  21. AWS Training in Bangalore - Live Online & Classroom
    myTectra Amazon Web Services (AWS) certification training helps you to gain real time hands on experience on AWS. myTectra offers AWS training in Bangalore using classroom and AWS Online Training globally. AWS Training at myTectra delivered by the experienced professional who has atleast 4 years of relavent AWS experince and overall 8-15 years of IT experience. myTectra Offers AWS Training since 2013 and retained the positions of Top AWS Training Company in Bangalore and India.


    IOT Training in Bangalore - Live Online & Classroom
    IOT Training course observes iot as the platform for networking of different devices on the internet and their inter related communication. Reading data through the sensors and processing it with applications sitting in the cloud and thereafter passing the processed data to generate different kind of output is the motive of the complete curricula. Students are made to understand the type of input devices and communications among the devices in a wireless media.

    ReplyDelete
  22. Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
    Good discussion. Thank you.
    Anexas
    Six Sigma Training in Abu Dhabi
    Six Sigma Training in Dammam
    Six Sigma Training in Riyadh

    ReplyDelete
  23. Great site and a great topic as well I really get amazed to read this. It’s really good. I like viewing web sites which comprehend the price of delivering the excellent useful resource free of charge. Click

    ReplyDelete
  24. Expected to form you a next to no word to thank you once more with respect to the decent recommendations you've contributed here.
    industrial safety courses in chennai

    ReplyDelete
  25. Thank you for sharing such a nice and interesting blog with us. i have seen that all will say the same thing repeatedly. But in your blog, I had a chance to get some useful and unique information. I would like to suggest your blog in my dude circle. please keep on updates. hope it might be much useful for us. keep on updating...
    AWS Training in Chennai
    AWS Course in Chennai
    Aws Certification in Chennai
    German Courses in Chennai
    best german classes in chennai
    German language training in chennai

    ReplyDelete
  26. You know what you’re talking about, why waste your intelligence on just posting videos to your blog when you could be giving us something enlightening to read?
    offshore safety course in chennai

    ReplyDelete
  27. I ‘d mention that most of us visitors are endowed to exist in a fabulous place with very many wonderful individuals with very helpful things.
    safety course in chennai
    nebosh course in chennai

    ReplyDelete
  28. Great article, valuable and excellent article, lots of great information, thanks for sharing with peoples.


    ExcelR Data Science Course

    ReplyDelete
  29. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
    date analytics certification training courses
    data science courses training
    data analytics certification courses in Bangalore
    ExcelR Data science courses in Bangalore

    ReplyDelete
  30. I was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information.
    machine learning course malaysia

    ReplyDelete

  31. It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. I want to read more things about it!

    Big Data Course

    ReplyDelete
  32. wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated.

    Data Science Course Malaysia

    ReplyDelete
  33. This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck.Data Science Courses

    ReplyDelete
  34. Well, the most on top staying topic is Data Science.Out of all, Data science course in Mumbai is making a huge difference all across the country. Thank you so much for showing your work and thank you so much for this wonderful article.

    ReplyDelete
  35. I was blown out after viewing the article which you have shared over here. So I just wanted to express my opinion on Data Science, as this is best trending medium to promote or to circulate the updates, happenings, knowledge sharing.. Aspirants & professionals are keeping a close eye on Data science course in Mumbai to equip it as their primary skill.

    ReplyDelete
  36. Hi,
    Best article, very useful and well explanation. Your post is extremely incredible.Good job & thank you very much for the new information, i learned something new. Very well written. It was sooo good to read and usefull to improve knowledge. Who want to learn this information most helpful. One who wanted to learn this technology IT employees will always suggest you take Data Scientist Certification In Bangalore.

    ReplyDelete