Companies who provide managed services are being asked to provide verification that they can actually perform the work they claim to be delivering. These 3rd party audit reports come in a variety of forms but one of the more common types is called the SSAE 16. But, can a poorly written or poorly executed SSAE 16 actually do more harm than good to your MSP practice? Let’s find out.
Managed Services Controls
SSAE 16, like its predecessor SAS 70, uses controls and control objectives to determine what will be covered in the audit report and what will be left out. Having the wrong controls can leave the reader with more questions than answers, especially if the reader is a customer looking for assurance about the managed services organization being audited.
Not all controls are the same. More specifically, MSPs have unique controls relevant to their business model than, let’s say, a data center, which may only be concerned with physical security, redundancy, and environmental controls for the servers housed within the facility. Using the appropriate controls and objectives is very important for creating a useful SSAE 16 audit report.
Auditor Experience
Any good chef will tell you you need good ingredients. Well, you also need a good chef! The same is true of auditing. MSPs, being the unique entities they are, need auditors who not only understand their business models, but who can also understand which controls should and should not be applied.
A qualified auditor will know which controls to apply in order to generate a report that is useful to the reader. In short, do not accept a auditor just because they are inexpensive.
What Could Go Wrong?
So, what’s the big deal, you say? Don’t believe that a SSAE 16 can harm you? Let’s examine a few ways it can.
- Inexperienced auditor can add more controls than is needed (causing costs to rise) or not use enough controls (meaning the cost would be lower but the report would not be covering enough detail
- SSAE 16 reports with insufficient detail can leave your reader with more quetsions and doubt. MSP customers are asking more questions and a poorly written SSAE 16 can ultimately harm your chances of winning the trust of the customer.
- Choosing the wrong auditor can not only cause your costs to increase, but you can spend a lot of time and resources trying to implement controls that are not directly applicable to your business model. Poorly aligned controls that do not match up to the managed services organization can create confusion with the reader and increase costs.
- In the case of a compliance situation where the SSAE 16 is being requested by another compliance agent, a bad SSAE 16 can cause more doubt about the MSP in question and actually result in a lost sale.
Remember, your audit report, whether a SSAE 16, UCS, or other certification, should speak positively about your organization and what it can and cannot do. The audit report should be fair, honest, accurate, and provide assurance to the reader about the MSP.
If your SSAE 16 audit is not what it should be, ask yourself whether it is helping or harming your managed services practice.