There are a number of SOC 1 requirements for SSAE 16 reports that service organizations should be aware of. The SSAE 16 standard, which effectively replaced the SAS 70 auditing standard for reporting periods ending on or after June 15, 2011, has quickly become the global de facto reporting option for service organizations, thus it's important to take note of the following SOC 1 requirements, along with general notes and comments that will help all interested parties learn more about SOC 1 reporting:
1. Description of the "system": Management of the service organization is ultimately responsible for providing what's technically known as the description of its "system" - which is the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
SAS 70 had a similar requirement called a description of "controls", but the SSAE 16 description of one's "system" is looked upon as a more detailed and comprehensive requirement than that of SAS 70's description of controls. And though there are not hard and fast rules on how to document one's system, and to what extent, service organizations should really try to include as much relevant information as possible.
2. Written statement of assertion by management: Additionally, management of the service organization must also provide the service auditor with a written statement of assertion - that is - a document that effectively asserts to a number of important provisions and clauses relating to the engagement itself. This "assertion" was never a requirement for the previous SAS 70 auditing standard, but now forms an important component of service organization reporting for SSAE 16. A competent and well-qualified PCAOB CPA firm can assist service organizations in drafting this "assertion", as it essentially has been pre-written by the American Institute of Certified Public Accountants (AICPA) within a number of their Service Organization Control (SOC) publications.
3. SSAE 16 Standard: This is the AICPA attestation standard that fundamentally reshaped the entire third-party reporting platform for service organizations. Specifically, SSAE 16 superseded and effectively replaced the longstanding SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Furthermore, SSAE 16 became the professional standard for which the SOC 1 framework is based upon, allowing service organizations to undergo SOC 1 SSAE 16 Type 1 and SOC 1 SSAE 16 Type 2 reporting. And remember, SSAE 16 is different from SAS 70 in a number of ways, but particularly in the two aforementioned issues – the description of the “system” and the written assertion by management.
4. AICPA Service Organization Control (SOC) Reporting Platform. There’s been quite a bit of talk about the AICPA “SOC” platform, so what’s important to note are the three (3) reporting options, SOC 1, SOC 2, and SOC 3. While SOC 1 was designed for service organizations who have a true nexus with the ICFR concept (Internal Control over Financial Reporting), SOC 2 and SOC 3 are aimed at many of today’s technology oriented service organizations, such as data centers, cloud computing vendors, managed service providers, and others. And while the adoption of SOC 2 and SOC 3 has been a little slower than anticipated, awareness for these reporting options is gaining ground. SOC 1, however, continues to be the dominating force for reporting on controls at service organizations.
5. SOC 1 vs. SOC 2. Though SOC 1 is considered the more well-known and often used reporting platform for today’s service organizations, SOC 2 demands equal merit and attention, and for a number of credible reasons. First, it’s a great reporting option for service organizations that don’t have a true relationship or “nexus” with the ICFR concept – Internal Control over Financial Reporting. Second, for many of today’s technology oriented service organizations, SOC 2, and the five (5) accompanying Trust Services Principles (TSP), are an excellent platform for reporting on controls related to (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality, and (5). Privacy. And don’t forget that SOC 3, which also utilizes the Trust Services Principles, is another great option for reporting on controls.
In conclusion, there’s much to learn about SOC 1 reporting, and service organizations, auditors, and all other interested parties should spend time at the official SOC 1 SSAE 16 Resource Guide, developed exclusively by NDB Accountants & Consultants, a nationally recognized PCAOB CPA firm specializing in SOC reporting.
Other notable topics worth exploring regarding SOC compliance are the following:
Contact Christopher G. Nickell, CPA, to learn more about SOC 1 (SSAE 16 reporting) and NDB’s competitive, fixed-fee pricing for SOC 1, SOC 2 and SOC 3 reports. He can be reached at 1-800-277-5415, ext. 706, or at firstname.lastname@example.org. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.