Menu Close

#11 | NetSuite SSAE16 – Practical Tips on How to Review & Map Controls – Part 1

NetSuite has become a popular ERP solution for many mid-size companies. If you use NetSuite and are required to comply with SOX 404, one of the year-end procedures is to review the SSAE16 Type II report. In this practical training session, we walk you step-by-step through the review and answer the following questions:

NetSuite SSAE 16 A2Q2
Fig. 1 – NetSuite SSAE 16

The SSAE 16 report used to be called the SAS 70. In 2011, the United States mirrored the international auditing standard ISAE 3402. For most companies to rely on it, they have to determine whether it’s a Type 1 or a Type 2 report. This is one of the questions that we’re going to touch on in this part of this training series.

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

SSAE 16 questions to ask
Fig. 2 – NetSuite SSAE 16 questions to be asked

Type 1 or Type 2 Report

The first thing we are going to tackle is how to determine if the report is Type 1 or Type 2. Below, you will see an example of a report from NetSuite, specifically the cover page. When starting out, I always make sure to check the date. On the example below, we can see that it is from April 1, 2014 to March 31, 2105.

example of NetSuite report
Fig. 3 – Example NetSuite report cover page

Let’s say that you are a calendar year-end company, we can see from the example above that we have three months covered in 2015. Remember that we are only interested in months for the year 2015. If it doesn’t include any months for 2015, just save your time and skip it.

Now that we know that we can use this report, let’s figure out what type of the report is. If you remember, a Type 1report is a report that just says that they’ve assessed the design of controls. Type 2 on the other hand says that the auditors have assessed the design and operating effectiveness. The best place to find that is in the auditor’s opinion.

Table of Contents of KPMG
Fig. 4 – Table of Contents of KMPG NetSuite SSAE 16 report

In this case, it’s from KPMG and it starts on page 3. It shows the part which will help us determine whether this is a Type 1 or a Type 2 report.

KPMG type 1 report
Fig. 5 – KPMG type 1 report

Notice the part where it says:

“Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all, material respects, the description is fairly presented, the controls were suitably designed and the controls operating effectively achieve the related objectives.…” This passage, with added emphasis in bold, tells us that this is a Type 1 report.

Unqualified Opinion

In common English, “unqualified” just means a clean opinion. It means the auditors haven’t put exceptions or qualifications to what they tested, hence the term “unqualified”.

NetSuite Unqualified opinion
Fig. 6 – NetSuite Unqualified opinion

Go back to the report andlook at the “Opinion” section. The highlighted part shows us what a clean opinion is. If we are reviewing on this report, we point to this section and say that it is a clean opinion and therefore we can rely on it.


To recap, in this post, we showed you how to answer the questions:

Leave a Reply

Your email address will not be published.

Share This

Copy Link to Clipboard