SSAE 16

September 2018

An SSAE 16 (which effectively replaced the SAS 70 in June 2011) report is prepared by a service provider’s auditor to evaluate and issue an opinion on the internal controls that are in place at the service provider. Service providers that process transactions (i.e., manipulate data or perform calculations) may provide an SSAE 16 report on the internal controls that are present in their operations or their software. An example of a service provider that should have an SSAE 16 report is your core system data processor (i.e., shares, loans and general ledger processor). Although the purpose of an SSAE report is to report on internal controls generally related to processing of transactions, it will also cover the security and privacy controls in place.

You and your financial statement auditor can use this report to understand the internal controls that are present at a service provider. This assists you with developing proper internal controls for your operations. Your auditor can rely on internal controls that have been tested and reported in the SSAE 16 report to reduce the amount of internal control testing during your financial statement audit.

We have received inquiries from members regarding whether Alloya Corporate Federal Credit Union (Alloya) has an SSAE 16 audit report available for their review. At this time Alloya does not have any SSAE 16 audit reports available. The cost of preparation of an SSAE 16 is substantial and after a careful evaluation of the cost compared to the extensive compensating controls that Alloya has, it has been determined that Alloya will not prepare any SSAE 16s.

The following provides a high-level view of Alloya’s risk management infrastructure:

  • Alloya is required to comply with the Standards of Professional Practices of Internal Auditing as established by the Institute of Internal Auditors (IIA).
  • Alloya’s infrastructure includes an in-house internal audit function that includes a Chief Audit Executive.
  • Alloya’s Supervisory Committee contracts with an independent accounting firm to conduct an annual independent audit of the corporate financial statement. Currently, the independent accounting firm is Doerhen Mayhew.
  • Additionally, Alloya contracts with external parties to conduct audits and/or assessments that require very specialized skill sets (e.g., internal/external vulnerability assessments, information systems penetration tests, code reviews, risk assessments, etc.)
  • Consistent with Regulation, Alloya has developed an extensive Enterprise Risk Management process, including an independent expert serving on a Board-level committee.
  • Alloya has invested in systems and human capital in risk management, including staff with professional certification in accounting (CPA), risk management (CFA), information security (CISSP, CISM), business continuity planning (PMP, CBCP) and auditing (CIA, CISA).
  • Alloya is regulated by the NCUA and it performs regular examinations of internal controls, internal audit, information systems, and other operational areas.

Alloya does make available SSAE 16 and SOC 1 audit reports for most of its partners with whom it contracts for processing services. Those can be found on Premier View under the Help tab.

If you have further questions, please call John Collins, Senior Vice President Strategy and Risk Management 630-276-2624 or at john.collins@alloyacorp.org.