SSAE 16 SOC 1 Type II reports are common practice in today’s world of regulatory compliance as organizations continue to outsource critical services to other organizations, effectively known as “service organizations”. Considering outsourcing to a third-party, or perhaps your organization has been asked to undertake SSAE 16 SOC 1 Type II reporting compliance - if so - take note of the following important points, brought to you by NDB Accountants & Consultants.
1. Understand the SOC framework and SSAE 16. After years of faithful service, the longstanding SAS 70 auditing standard was finally put to rest, effectively replaced by the American Institute of Certified Public Accountants’ (AICPA) Service Organization Control (SOC) reporting framework, consisting of the following: SOC 1 SSAE 16, SOC 2 AT 101, and SOC 3 AT101. Three (3) different reporting options for helping meet the needs of today’s growing, expanding, and complex service organizations, many of which rely heavily on information technology. As for SOC 1 SSAE 16 and SOC 2 AT 101 reporting, service organization can opt for Type 1 and/or Type 2 reports. The SOC framework was long overdue and its now being actively embraced by many involved in service organization reporting.
2. Scoping is critical. Scope is the main driver for all critical components of SSAE 16 SOC 1 Type II reporting, such as price, duration, complexity, etc. Because of this, it’s very important to unearth the “who, what, when, where, and why” for an engagement of this type, which means discussing what business processes are to be included, physical locations to visit, number and type of control objectives and subsequent test, etc. It’s therefore essential to work with a well-qualified, PCAOB CPA firm, one with years of experience performing internal control assessments. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 or email him at firstname.lastname@example.org to learn more.
3. Readiness Assessments. Crawling before you walk is not a bad suggestion, so it’s a good idea to engage with a CPA firm in conducting an actual SSAE 16 SOC 1 Type II report Readiness Assessment – a proactive and useful engagement for helping unearth any necessary areas for remediation. Because most companies are very good at what they do, but often lack in the area of documentation, readiness assessments often find gaps with operational and information security policies and procedures, which can be time-consuming and taxing to write, but they’re a must when it comes to SSAE 16 reporting. Finding a high-quality set of templates is the best advice, as developing your own documentation can be extremely challenging and unnecessary.
4. Policies and Procedures. As just mentioned, one of the biggest and often-overlooked areas for ensuring a successful SSAE 16 SOC 1 Type II assessment process is having documented policies and procedures in place. Service organizations - just like any other business - often fail to update their information security documentation, or worse - develop any at all - which puts further challenges on the assessment. Remember that auditors are always on the lookout for documented policies and procedures - it’s a big part of their job and SSAE 16 SOC 1 Type II reporting will demand them. Finding a high-quality set of security policy and procedure templates is the most efficient course to take - after all - who wants to spend hundreds of hours in developing their own policies and procedures from scratch. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
5. Two notable reporting requirements. For SSAE 16 SOC 1 Type II reporting, it's important to note that management of the service organization has two (2) distinct deliverables: (1). Providing a description of its "system", along with a written statement of assertion. Both are fairly straightforward, yet actually authoring the description of one's "system" can be a fairly time-consuming process as it's looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. As for management's written statement of assertion, a competent, well-qualified CPA firm can provide a template.
6. Welcome to regulatory compliance. Generally speaking, once you've performed your initial SSAE 16 SOC 1 Type II report, clients, regulators - and all other intended parties - will continue to expect (and demand) annual compliance, so keep this in mind.
Want to learn more about SSAE 16 - visit the official SSAE 16 Resource Guide, developed exclusively by NDB Accountants & Consultants.
Additionally, call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about NDB’s competitive, fixed fees for SSAE 16 Type 1 and Type 2 reporting.