There are numerous SOC 1 SSAE 16 Type 2 audit requirements for compliance that service organizations should be aware of for helping ensure an efficient, transparent and cost-effective process, from beginning to end. Ever since the SSAE 16 standard replaced the aging SAS 70 auditing standard (for reporting periods ending on or after June 15, 2011), service organizations have been working hard to conform with the new requirements - which, to be fair - are not too terribly taxing. Sure, there’s a number of administrative changes brought about by SSAE 16, ultimately requiring service organization to have a strong understanding of the following:
1. SAS 70 reports are no longer being issued. For approximately twenty years (April 1992 - June 15, 2011), the SAS 70 auditing standard was the global de facto compliance platform for reporting on controls at service organizations, but much has changed in the business world (most notably, the advancement of technology), resulting in major changes for third-party internal control reporting.
2. AICPA SOC Framework. Say goodbye to SAS 70 and hello to the AICPA Service Organization Control (SOC) reporting framework, which offers three (3) reporting options for service organizations: SOC 1 SSAE 16 | SOC 2 AT 101 | SOC 3 AT 101.
3. Description of its “system”. SSAE 16 also requires management of the service organization to develop a description of its “system”, which is essentially the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. A well-qualified, PCAOB CPA firm can assist service organizations in better planning and writing an actual description of one’s “system”.
4. Written statement of assertion by management. Along with the description of its “system”, SSAE 16 also requires that management of the service organization provide a written statement of assertion - a statement whereby by management effectively asserts to a number of critical clauses and provisions relating to the actual SSAE 16 assessment. This is a new requirement when compared to the historical SAS 70 auditing standard, for which a competent, experienced PCAOB CPA firm can assist you in developing the written statement of assertion.
There are many other minor technical requirements when it comes to SOC 1 SSAE 16 Type 1 and Type 2 reporting, yet the above items listed constitute the critical elements all service organizations need to be aware of. As for the AICPA Service Organization Control (SOC) framework - consisting of SOC 1, SOC 2, and SOC 3 reporting - visit the official SSAE 16 Resource Guide - developed exclusively by NDB Accountants & Consultants, a nationally recognized PCAOB CPA firm specializing in regulatory compliance. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
To obtain a competitive, fixed-fee price for your SOC 1 SSAE 16 reporting needs, contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at firstname.lastname@example.org today.