Service organizations would highly benefit from having a comprehensive SOC 1 SSAE 18 audit checklist – one that essentially assists in the preparation of planning for a Type 1 or Type 2 assessment by a CPA firm. As such, take note of the following SSAE 16 audit checklist, provided by NDNB Accountants & Consultants (NDNB), a nationally recognized IR CPA firm.
1. Find a competent and proven CPA firm that specializes in SOC reporting. Many firms have entered into the regulatory compliance arena – and that’s a good thing – as competition results in numerous qualified professionals, along with pricing stability for SOC 1 SSAE 18 Type 1 and Type 2 reporting. Choose a firm with years of experience performing third-party audits on control environments, and you should be fine. Start by getting a fixed-fee quote from NDNB Accountants and Consultants (NDNB) by contacting Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 or emailing him at This email address is being protected from spambots. You need JavaScript enabled to view it..
2. Gain a strong understanding of SOC 1 SSAE 18. Learning about the “who, what, when, where, and why” of SOC 1 SSAE 18 ultimately allows you to ask thoughtful, intelligent questions to CPA firms proposing, while providing useful information to senior management within one’s organization. A great place to learn essentially everything you need to know about SOC 1 SSAE 18 audit requirements is the official SOC Report Resource Guide, developed exclusively by NDNB Accountants & Consultants. Learn about the background of SOC 1 SSAE 18, types of reporting options, planning and scope considerations, along with literally dozens of other critical topics – it’s all available – and free – at the official SOC Report Resource Guide.
3. Determine engagement scope. A very important part of planning for a SOC 1 SSAE 18 Type 1 or Type 2 assessment is unearthing the essential boundaries of the engagement itself – specifically – the following:
(1). Are there any prior reporting assessments that were conducted (i.e., a recent SSAE 18 report or a even more recent SOC 1 SSAE 18 report) that can assist in properly scoping the engagement?
(2). what control objectives and related controls will be used in forming the basis for SOC 1 SSAE 18 reporting and do they meet the stated requirements set forth by user entities for reporting purposes?
(3). Have all relevant and material subservice organizations been identified, and if so, will the “carve-out method” or the “inclusive method” be used regarding these entities?
(4). as for physical locations, how many are to be included within the scope of a SOC 1 SSAE 18 engagement? (5). what is the relevant testing period that will be used for SOC 1 SSAE 18 reporting? (6). what personnel at the service organization itself will be involved in facilitating the entire SOC 1 SSAE 18 audit process? These are high level questions and statements that can essentially be further refined for building one’s own SOC 1 SSAE 18 audit checklist.
4. Conduct an internal SOC 1 SSAE 18 Readiness Assessment. Once the scope of the audit has been clearly identified and agreed upon, it’s time to examine the respective control environments for purposes of identifying any possible areas of remediation, which can include any number of issues, such as the following:
• Lack of documented and formalized policies and procedures for many pertaining to the SOC 1 SSAE 18 assessment itself, particularly regarding information security documentation.
• Weak enforcement of procedural based activities, such as opening formalized change request tickets, trouble tickets, etc. for any relevant issues.
• Lack of audit evidence itself, as many systems simply fail to keep logging and audit trails for acceptable minimum periods.
• Poorly provisioned systems that can often lead to network vulnerabilities and other exploits.
5. Remediate areas of concern. It’s perfectly acceptable actually “remediate” areas that require remediation – after all – it’s why organizations conduct SSAE 16 Readiness Assessments prior to the actual audit itself. The key is to truly remediate the findings, correct the deficiencies – ultimately improving one’s control environment. What good is remediation if the areas of concern are flagged, yet little or no attention is given to them for correcting the problems? Not only would receiving an “unqualified” (i.e., clean) opinion for the SOC 1 SSAE 18 be a real challenge, one’s control environment would still be exhibit material deficiencies. It’s a no win situation, so remediate!
Read Part II of the SOC 1 SSAE 18 audit checklist whitepaper.