SOC 1 (SSAE 16/SSAE 18) repoting has brought about a number of new requirements for service organizations; one in particular being that of providing a description of its "system". The term "system" and its description can carry a number of meanings and may very well be interpreted slightly differently among service organizations having to comply with SOC 1 (SSAE 16/SSAE 18).
With that said, the term "system" should be looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
Important Elements for SOC 1 (SSAE 16/SSAE 18) Description of the "System"
Additionally, the description of the service organizations "system" should also identify the period the description relates to along with providing a listing of control objectives. Please keep in mind that according to SOC 1 (SSAE 16/SSAE 18) reporting, there is not an explicit or strict requirement regarding how the "system" is actually documented and to what extent. Thus, the format, depth, and scope of documenting the "system" will without question vary from one service organization to another.
Even so, service organizations should strive to incorporate a comprehensive discussion of the following components when documenting the description of its "system":
- The services being provided along with the classes of transactions processed.
- The procedures used, from beginning to end, both automated and manual, for the transactions (such as the flow of the transactions and all activities, from initiation to correction of errors, as necessary).
- How the system captures and also addresses significant events and conditions along with the processes and procedures used to prepare and report information as necessary to user entities.
- The control objectives, related controls and user control considerations.
- The service organizations elements of internal control, based on the COSO framework, which consist of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring.
While the AICPA SAS 70 auditing standard called for a description of "controls", SOC 1 (SSAE 16/SSAE 18) requires a description of its "system". This fundamental difference may force service organizations to revise and enhance their description of its "systems" from previous SAS 70 description of "controls", due in large part to the criteria that was used by management for previous reporting along with the criteria established for SOC 1 (SSAE 16/SSAE 18). Careful consultation with an experienced and qualified SOC 1 (SSAE 16/SSAE 18) auditor will help in assessing your reporting needs. Please contact us today by speaking with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SSAE 16 and to receive a competitive, fixed-fee quote today.
North America’s Leading Provider of SOC 1 (SSAE 16/SSAE 18) and SOC 2 Audits
NDNB provides a wide-range of regulatory compliance services, all at competitively priced fixed-fees. From SOC 1 (SSAE 16/SSAE 18), SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more, we’re one of the country’s leading providers of compliance audits. Whatever your needs are in terms of today’s demanding and challenging regulatory compliance needs, we’re here to help you every step of the way, from scoping & readiness assessments to the final audit itself