The SSAE16 Audit Journey: What a long strange trip it’s been

The SSAE16 Audit Journey: What a long strange trip it’s been

A while back, I wrote that preparing for an SSAE 16 audit was a lot like traveling with kids. Now that we’re wrapping up the actual audit, I can easily say that the ‘itinerary’ we had in place for the trip served as an adequate guide. But, as with any family vacation, we had our share of frayed nerves, challenging discussions, and a couple of awkward moments. We also had several moments that would make any parent beam with pride.

We’d prepared the team as well as we could, giving them the training and tools they need to up their game. We told them what to pack, and then we went and checked the ‘suitcase’ to make sure everything was packed. We ran internal flash audits to ensure process adherence. We created centralized process repositories and made sure that people knew where to go to get questions about process. We reviewed change requests, and even added additional governance around process violations, pulling the offending change owner into a room at 3:00PM on Friday afternoons to discuss some of the items we needed them to improve on. We were as ready as we could be.

Going my way?
Sometimes when you head out on that trip with the family, it’s not the just suitcases that you need to concern yourself with. When you’re travelling with a group, there are a lot of items that need to make their way into the car. In a recent weekend excursion with the family, one of my ‘helpers’ took my laptop out of the car. They didn’t want it to get damaged while they were helping pack. As you might guess, it never made it back into the car, forcing me to scramble to get some things done. The intention was good, the execution needed to be better.

Just ahead of their time on site, the auditors sent a request list for what they’d be looking for. We dutifully worked to pull items together for them. While onsite, we had our process and system owners meet with the audit team to answer their questions. We provided the access they needed to be confident in the population they needed to test, often pulling the data with them in the room so they were comfortable with the process used to gather the information. In short, we worked to accommodate their needs with the hope that if they got what they needed, we’d be in good shape.

For the most part, our team was well prepared. The auditors were impressed with many of our ‘complimentary controls’ above and beyond normal process. We had a couple of items that raised some questions. For example, we needed to walk through our security training steps to make sure the audit team understood our program. We’d complied with our processes, but it was a discussion we needed to work through with the audit team.

What’s that smell?
As we finished a recent family trip, we got into the car at the end of the weekend. It took us a while to figure out that the strange smell was a half-eaten burger the boy was saving for later. Two days later, as it turns out. Needless to say, it wasn’t a viable snack at that point.

We had our share of challenging moments during the audit as well. The auditors found an incident that had been On Hold for a couple of weeks without an update. There was the change that didn’t have enough detail in the post incident review, just ‘change done’. In short, nothing that compromises our level of service, but things where we really need to continue to socialize the rigor we require to deliver the level of service our clients expect. There were a few ‘head slap’ moments that we want to avoid going forward.

Knocking the sand out of our shoes
We’re currently working on follow up items with the audit team, and expect to have our final opinion in the next 60 days. We’ve also followed up with the team and reinforced that the attention to detail we preached during the audit needs to be standard operating procedure going forward. We’re working to change team meeting agendas to include an audit/process review task. In time, it will just be how we do things, but the audit framework helps people focus on their role in maturing our operations.

As with most family trips, despite the challenges along the way, we tend to look back fondly on the journey. A day or two after getting home, there is still laundry to do, the car needs to be cleaned out, and the plants need to be watered. But I’ve gotten over wanting to banish my children to their room after 10 hours in the car with them, and I’m not as concerned about next month’s credit card bill.

I know that the next trip we take will have its own set of challenges, but will ultimately be easier to enjoy. I don’t know if the SSAE 16 audit will ever be ‘fun’, but the next time we go through it, we’ll check the suitcases, the vehicle, and travelling companions and make sure we get there, from here, as smoothly as possible.

Phone: 312-602-4000
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons