The SSAE 18 standard will be used for reporting on controls at service organizations, and as such, the term "service organization" is defined as an organization providing services to "user entities", for which these services are likely to be relevant to these user entities' internal control for financial reporting. Thus, the term "user entity" is simply an organization using the service of a service organization.
Clearly, the definition of a "service organization" for purposes of SOC 1 (SSAE 16/SSAE 18) reporting can seem somewhat technical and ambiguous, but what's more important to understand and grasp than the definition itself are the following:
- What are common examples of service organizations and the industries and business sectors they represent?
- Why are service organizations being required to become SOC 1 (SSAE 16/SSAE 18) compliant?
- What trends will play out in the coming years for service organizations regarding regulatory compliance requirements?
SOC 1 (SSAE 16/SSAE 18) compliance will no doubt require a large number of service organizations to undergo an examination for reporting on controls, ultimately resulting in the issuance of a SOC 1 (SSAE 16/SSAE 18) Type 1 or SOC 1 (SSAE 16/SSAE 18) Type 2 report. With that said, listed below are a sample of industries and business sectors that are prime candidates for SOC 1 (SSAE 16/SSAE 18) compliance, or even possibly the ISAE 3402 standard.
- Software as a Service (SaaS)
- Application Service Providers (ASP)
- Credit Card Processing Platforms
- Cloud Computing | Virtualization | on demand Computing Services
- Internet Service Providers (ISP)
- Web Design and Development
- Web Hosting
- Social Media | Content Tagging and Aggregators
- Data Center and Co-Location Providers
- Managed Services
- Third Party Administrators (TPA) |
- Captive Providers
- Medical Billing
- Print and Mail Delivery
- Online Fulfillment
- Rebate Processing | Online and Mail
- Transportation Services
- Tax Credit and Empowerment Services
- Payroll Services
- Registered Investment Advisors (RIA)
Service Organizations and SOC 1 (SSAE 16/SSAE 18) & ISAE 3402
In reality, there is a large and ever-growing list of industries and business sectors that are (and will be) considered service organizations for purposes of SOC 1 (SSAE 16/SSAE 18) compliance. The sheer growth in outsourcing, coupled with rigorous mandates for security, governance, and compliance will force more and more businesses to comply with SOC 1 (SSAE 16/SSAE 18) third party reporting standards for service organizations. If your business or entity is providing critical or material outsourcing services to another entity, then you may very well be called upon to become SOC 1 (SSAE 16/SSAE 18) compliant. From processing medical claims to providing data center services to clients, just to name a few, businesses are becoming more involved than ever with other entities, thus creating a true need for reporting on controls on service organizations with the
Of interesting note is the ISAE 3402 tandard, the global standard for assurance reporting on service organizations. ISAE 3402 and SOC 1 (SSAE 16/SSAE 18) are highly similar, with few notable technical exceptions, and as such, many service organizations outside the North America may very well opt for ISAE 3402 compliance over SOC 1 (SSAE 16/SSAE 18) compliance. Ultimately, time will tell how the ISAE 3402 and SSAE 16/SSAE 18 standards play out regarding adoption and overall acceptance throughout the globe. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SOC 1 (SSAE 16/SSAE 18) and to receive a competitive, fixed-fee quote today.
The Continued Growth of SOC 2 Audits
SOC 2 is fast becoming the global default standard when it comes to service organizations having to perform annual compliance audits. The SOC 2 standard is heavily weighted towards technology driven companies as the Trust Services Principles (TSP) are well suited for the likes of data centers, cloud vendors, SaaS entities, and many others.
NDNB – North America’s Leading Provider of SOC 1 and SOC 2 Audits
In need of a SOC 1 or SOC 2 audit, then contact the regulatory compliance experts today at NDNB. Along with offering fixed-fee SOC 1 (SSAE 16/SSAE 18), SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more – all at fixed-fees. From scoping & readiness assessments to formalized audits, NDNB offers a complete lifecycle of services and solutions. Please contact us today to learn more.