NetSuite has become a popular ERP solution for many mid-size companies. If you use NetSuite and are required to comply with SOX 404, one of the year-end procedures is to review the SSAE16 Type II report. In this practical training session, we walk you step-by-step through the review and answer the following questions:
The SSAE 16 report used to be called the SAS 70. In 2011, the United States mirrored the international auditing standard ISAE 3402. For most companies to rely on it, they have to determine whether it’s a Type 1 or a Type 2 report. This is one of the questions that we’re going to touch on in this part of this training series.
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
The first thing we are going to tackle is how to determine if the report is Type 1 or Type 2. Below, you will see an example of a report from NetSuite, specifically the cover page. When starting out, I always make sure to check the date. On the example below, we can see that it is from April 1, 2014 to March 31, 2105.
Let’s say that you are a calendar year-end company, we can see from the example above that we have three months covered in 2015. Remember that we are only interested in months for the year 2015. If it doesn’t include any months for 2015, just save your time and skip it.
Now that we know that we can use this report, let’s figure out what type of the report is. If you remember, a Type 1report is a report that just says that they’ve assessed the design of controls. Type 2 on the other hand says that the auditors have assessed the design and operating effectiveness. The best place to find that is in the auditor’s opinion.
In this case, it’s from KPMG and it starts on page 3. It shows the part which will help us determine whether this is a Type 1 or a Type 2 report.
Notice the part where it says:
“Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all, material respects, the description is fairly presented, the controls were suitably designed and the controls operating effectively achieve the related objectives.…” This passage, with added emphasis in bold, tells us that this is a Type 1 report.
In common English, “unqualified” just means a clean opinion. It means the auditors haven’t put exceptions or qualifications to what they tested, hence the term “unqualified”.
Go back to the report andlook at the “Opinion” section. The highlighted part shows us what a clean opinion is. If we are reviewing on this report, we point to this section and say that it is a clean opinion and therefore we can rely on it.
To recap, in this post, we showed you how to answer the questions: