When performing SSAE 16 you should include consideration of which person(s) have the appropriate responsibilities for and knowledge of the matters concerned.When this SSAE requires the service auditor to inquire of, request representations from, communicate with, or otherwise interact with management of the service organization, the service auditor should determine the appropriate person(s) within the organization.

The service auditor should investigate the nature and cause of any deviations identified, and
should determine whether
      a. identified deviations are within the expected rate of deviation and are acceptable. If so,
the testing that has been performed provides an appropriate basis for concluding that
the control operated effectively throughout the specified period.
      b. additional testing of the control or of other controls is necessary to reach a conclusion
about whether the controls related to the control objectives stated in management’s
description of the service organization’s system operated effectively throughout the
specified period.
      c. the testing that has been performed provides an appropriate basis for concluding that
the control did not operate effectively throughout the specified period.