SOC 1 (SSAE 16/SSAE 18) compliance thus brings about two important components that service organizations should readily understand for purposes of complying with Statement on Standards for Attestation Engagements (SSAE) No. 16/No. 18:
The description of its system should provide intended users of a SOC 1 (SSAE 16/SSAE 18) Type 1 or Type 2 with sufficient information to understand the services being provided to user entities. Therefore, the information should be comprehensive, accurate, well-presented, and covering all processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
SOC 1 Description of the "System" vs. Historical Descriptions
With that said, service organizations have historically presented a description of "controls" for Statement on Auditing Standards (SAS) No. 70, commonly known as SAS 70. So what's the difference between the SOC 1 (SSAE 16/SSAE 18) description of its "system" versus the SAS 70 description of "controls"? Many practitioners well-versed in SAS 70 and who are now learning more about the SOC 1 (SSAE 16/SSAE 18) framework have noticed that the actual AICPA publication on SOC 1 (SSAE 16/SSAE 18) provides a comprehensive listing of acceptable information for which a description of its "system" is asking for.
This may very likely result in many service organizations having to re-visit, re-work, or substantially re-write many aspects of their prior, historical SAS 70 description of "controls". In summary, some service organizations may find only marginal changes are need, while others may feel compelled to significantly change the prior SAS 70 description of "controls" to meet the intent and rigor of the SOC 1 (SSAE 16/SSAE 18) description of its "system".
The Written Assertion by Management
Additionally, service organizations must now provide a written assertion by management for SOC 1 (SSAE 16/SSAE 18) compliance. This written assertion was not required by the AICPA SAS 70 auditing standard, but now becomes a fundamental requirement of the new attestation standard.
The written assertion is simply just that, a number of "assertions" that are presented to the service auditor conducting the actual SOC 1 (SSAE 16/SSAE 18) engagement. Lastly, the written assertion can simply be included within the actual description of the service organization's "system" or attached to the description of the system itself. For assistance in helping develop a description of its system along with a written assertion by management, please contact a well-qualified, PCAOB CPA firm that specializes in SOC 1 (SSAE 16/SSAE 18) and ISAE 3402 compliance. Looking for a competitive, fixed-fee for SOC 1 (SSAE 16/SSAE 18) and all your SOC 1, 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
North America’s Premier Provider of SOC 1 (SSAE 16/SSAE 18) Audits at Fixed-Fees