SSAE 18 SOC 1 Introduction and Overview for California Service Organizations
Many businesses in California – and around the nation – are being required to undertake annual SSAE 18 SOC 1 assessments & audits, but are unfortunately not clear on many of the facets regarding Statement on Standards for Attestation Engagements (SSAE) No. 18. As such, NDNB, California’s leading provider of high-quality, fixed fee audits, has provided the following introduction and overview regarding SSAE 18 SOC 1 reports.
California’s Leading Provider of SSAE 18 SOC 1 Compliance
NDNB has been performing a wide variety of regulatory compliance audits and assessments all throughout California, and along the way we’re often asked what the important points a business really needs to know for ensuring an efficient audit process from day. We understand compliance can be complex, costly, and incredibly time-consuming, so we’ve assembled our team of auditing experts and put together the following list for California businesses.
What California Businesses Need to Know About SSAE 18 SOC 1 Reporting
Learn About the SOC Framework: SOC stands for System and Organization Controls (SOC) reports, a comprehensive reporting platform put forth by the American Institute of Certified Public Accountants (AICPA) which offers the following three (3) reporting options: SOC 1, SOC 2, and SOC 3. Additionally, SSAE 18 is the professional standard for issuing SOC 1 assessments, while SOC 2 and SOC 3 – which are geared towards technology companies – utilize the AT 101 standard. This represents a radical departure – and much needed – from the aging, and antiquated SAS 70 auditing standard that was released in April, 1992.
Understand the ICFR Concept: There’s a concept in the world of auditing known as “Internal Controls over Financial Reporting”, which essentially states that any service organization undertaking financial related activities for their customers – for which such activities can impact financial reporting for customers – should be assessing against the SOC 1 reporting option, which uses the SSAE 18 standard. Thus, for example, if you’re an actuarial entity, and the reporting provided to clients impacts their financial reporting, SOC 1 reporting is to be utilized. SOC 2 audits have no ICFR concept, and are thus geared towards technology driven service organizations.
Be Aware of Critical Scope Considerations and Control Objectives: Want to have a successful, efficient, and cost-effective audit – not a costly, nightmarish scenario with the dreaded “scope creep” – then undertake an NDNB SSAE 18 SOC 1 readiness assessment. When performed correctly for California and Orange County service organizations, an SSAE 18 SOC 1 readiness assessment helps assess scope, determine gaps and deficiencies within one’s internal control environment, thereby preparing an organization for long-term audit success.
Get Educated on the SSAE 18 SOC 1 vs. SOC 2 Debate: “So, which is the correct reporting option to use, SOC 1 or SOC 2”, is a question we receive almost daily, and for good reason. For clarity and simplicity, just remember that SSAE 18 SOC 1 reporting should be for service organizations illustrating a true relationship to the above discussed ICFR concept, while SOC 2 reports should be the focus for technology entities – i.e., cloud computing, SaaS, etc. That’s not to say that this path is always followed, as it’s not, as many technology service organizations do in fact opt for SSAE 18 SOC 1 reporting.
Audit Evidence: Providing documents, such as security policies, signed memos, screenshots, configuration files, emails – and many other types of evidence – is what an SSAE 18 SOC 1 audit is all about. Additionally, it’s also about undertaking physical inspections and walking through various facilities and locations, conducting tests as necessary at such sites.
Documentation: Nobody wants to spend hundreds of hours developing security documents for an SSAE 18 SOC 1 audit – we more than get it – so do what dozens of companies all throughout Southern California have done – obtain NDNB’s complimentary information security policies containing hundreds of pages of expert material for rapid audit compliance. Policies are a big, big part of any audit – especially SSAE 18 SOC 1 audits – and they’re often the biggest gaps found during a readiness assessment, which is all the more reason to consider using NDNB and obtaining our complimentary information security policies.
Management Mandates: Southern California businesses opting for SSAE 18 SOC 1 compliance must provide the service auditor with two distinct items, a (1). Description of the System, along with (2). A Written Management Assertion. These are unique to the SOC framework – including SOC 2 compliance – so talk to the CPA firm conducting the audit to learn more.
Remediation: Having a picture-perfect control environment and the ability to assess a service organization with no exceptions is a rarity, and its why California service organizations need to be aware of the various aspects of remediation that must often take place prior to the audit commencing. Policies and procedures, as mentioned above, are a large part of remediation, but so are the many technical mandates that often must be performed also.
Examples includes provisioning servers, enforcing stronger passwords, ensuring your data backup and contingency plans are in place – the essential information security and operational best practices that many auditors are on the lookout for when performing today’s regulatory compliance audits, particularly SSAE 18 SOC 1 and SOC 2.
Problem Areas for the Audit: SSAE 18 SOC 1 audits can be laborious and time-consuming, yet many service organizations fail to plan ahead, resulting in the following miscues and problems:
- Lack of internal resources assigned to the audit.
- Incorrectly scoped, resulting in the all too often dreaded “scope creep”.
- Missing policies and other formal documentation.
- Lack of internal leadership for ensuring a clear path towards compliance.
NDNB – California’s Leading Provider of SOC 1 and SOC 2 Audits