Service Organization Control (SOC) 1 reports are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 has essentially replaced the aging and historical SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Much like SAS 70, SSAE 16 provides two (2) reporting options; Type 1 a service organization's system and the suitability of the design of controls", while an SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
SSAE 16 reporting, specifically Type 1 and Type 2 assessments, are being required by more and more organizations today, especially those that provide critical outsourcing functions for other entities. Think of payroll companies, Third Party Administrators (TPA), data centers - just to name a few - and you're on the right track. With such prominence being placed on SSAE 16 reporting, it's important to learn about the ACIPA standard that effectively replaced the longstanding SAS 70 auditing standard from 1992. As such, take note of the following five (5) important things to know about SSAE 16 reporting:
The SSAE 16 management assertion is a requirement whereby management of the service organization provides the practitioner (i.e., the CPA performing the actual SSAE 16 engagement) with a written assertion that essentially "asserts" to a number of clauses and provisions for purposes of SSAE 16 compliance. And it's also important to note that this written assertion is identified by any number of similarly related phrases, such as the following:
An SSAE 16 report is often issued after the completion of all assessment activities undertaken in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16. And an SSAE 16 report can be either a Type 1 or a Type 2, depending on the needs of the service organization itself. With that said, it's important to understand the contents of an SSAE 16 report and what each section means. This ultimately will provide you with a much greater understanding about SSAE 16 Type 1 and Type 2 assessments, and the accompanying reports that are issued for them.