SOC 1 SSAE 18 sates that if the service organization has an "internal audit function", it is the responsibility of the service auditor to understand the role, responsibilities, and activities of the internal audit for determining its applicability and relevancy for a SOC 1 SSAE 18 engagement.
The "internal audit function" for SOC 1 SSAE 18 compliance can best be described simply as the personnel within a service organization that perform duties of an internal auditor. Common internal audit functions can include ensuring that the service organization’s daily operational activities, safeguards, processes, and procedures are functioning properly, which can be tested and monitored by the internal audit function through a number of procedures.
Additionally, SOC 1 SSAE 18 also allows the internal audit function to include other personnel who perform functions similar to that of internal auditors, with these other personnel being actual service organization employees or even external, third-party entities.
Assessing an Organization's Internal Audit Function - What you Need to Know
With that said, the existence of an internal audit function must first be identified within a service organization, and if one is present, the service auditor will need to determine the adequacy of the internal audit function itself for a SOC 1 SSAE 18 engagement. This would require evaluating the following conditions:
- The objectivity along with the overall competency of the group (technical and professional competency.
- Is due professional care used when the work is being performed by the internal audit function?
- Can the internal audit function of the service organization effectively communicate with the service auditor in a transparent and professional manner for helping facilitate the SOC 1 SSAE 18 engagement?
Additional Points to Note about an Internal Audit Function
If the service auditor can answer yes to these questions and gain an acceptable level of confidence regarding the internal audit function, then the service auditor should then evaluate the following conditions:
- What is the nature and scope of the work to be performed by the actual internal audit function?
- How significant is the work to the actual service auditor's findings and conclusions for a SOC 1 SSAE 18 engagement?
- What degree of subjectivity is to be used in evaluating the evidence (interviews, inspections, documents, and other supporting evidence) to support the actual conclusions
Relying on Work Performed by Internal Auditors
And if the service auditor is to actually rely on the work performed by the internal audit function, then the service auditor will have to perform procedures on the work for determining its applicability, relevancy, and adequacy in regards to a SOC 1 SSAE 18 engagement. Thus, the service auditor will have to determine if the actual work was performed by the internal audit function, properly supervised, reviewed and documented accordingly, along with sufficient evidence to draw conclusions, for which these conclusions are appropriate and acceptable. Lastly, any exceptions found and disclosed by the internal audit function must be resolved. If your organization is seeking SOC 1 SSAE 18 compliance, contact a well-qualified, PCAOB CPA firm who specializes in SOC 1 SSAE 18 engagements.
North America's Leading Provider of Fixed-Fee SOC 1 SSAE 18 & SOC 2 Audits - Let's Talk!
SOC 1 SSAE 18 states that management's monitoring activities may provide evidence regarding the design and operating effectiveness of controls, thus allowing management of the service organization to use "monitoring" as a key element in supporting management's assertion.
What is the "monitoring" concept?
"Monitoring" is a process whereby the effectiveness of internal controls are assessed by activities that are generally built into the daily operational activities of service organizations, along with separate evaluations, if necessary. Monitoring activities can vary widely, ranging on a number of different processes and procedures, such as the following:
- Evaluating one's daily operational activities
- Utilizing internal audit personnel or other similar personnel who are performing a wide-range of procedures throughout various departments of a service organization.
- Automated system checks and balances, such as batch processing, reconciliations, quality assurance checks, system error checks.
- Correspondence with any third-party entities.
- Any additional processes, procedures, and safeguards as necessary.
The Essentials to Performing "Monitoring" Activities for SOC 1 SSAE 18 Compliance
Most service organization successfully undertake monitoring activities via a combination of ongoing daily operational activities, along with separate evaluations. The phrase "separate evaluations" can essentially mean any number of activities outside of a service organization's ongoing daily operational activities.
Common examples of "separate evaluations" may include surprise audits by third party entities, such as clients or government regulatory agencies, due-diligence audits or reports conducted by prospective clients or even one-time or random internal evaluations as needed. In short, there seems to be a wide-variety of activities that could possibly fall under the phrase of "separate evaluations" for the purposes of SOC 1 SSAE 18.
Additionally, the concept of monitoring for purposes of SOC 1 SSAE 18 includes assessing the effectiveness of one's control environment and taking the necessary action for correcting and remediating any weaknesses or deficiencies found. Monitoring is not a static, one-time event, but a constant effort by all in assessing and improving upon one's system of internal controls within any organization.
Are you Monitoring your Controls for SOC 1 SSAE 18?
To put the concept of monitoring into better perspective, ask yourself what activities does your organization initiate for monitoring and how may these activities provide evidence in ultimately supporting your (i.e., management's) assertion, which is a key deliverable for SOC 1 SSAE 18 reporting. Looking for a competitive, fixed-fee for SOC 1 SSAE 18 and all your SOC 2 and SOC 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
Lastly, as described by the Committee of Sponsoring Organizations, (COSO), “monitoring” is defined as the following:
“Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties…”
Turn to the Experts at NDNB for SOC 1 SSAE 18 Assistance
SOC 1 (SSAE 16/SSAE 18) compliance thus brings about two important components that service organizations should readily understand for purposes of complying with Statement on Standards for Attestation Engagements (SSAE) No. 16/No. 18:
The description of its system should provide intended users of a SOC 1 (SSAE 16/SSAE 18) Type 1 or Type 2 with sufficient information to understand the services being provided to user entities. Therefore, the information should be comprehensive, accurate, well-presented, and covering all processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
SOC 1 Description of the "System" vs. Historical Descriptions
With that said, service organizations have historically presented a description of "controls" for Statement on Auditing Standards (SAS) No. 70, commonly known as SAS 70. So what's the difference between the SOC 1 (SSAE 16/SSAE 18) description of its "system" versus the SAS 70 description of "controls"? Many practitioners well-versed in SAS 70 and who are now learning more about the SOC 1 (SSAE 16/SSAE 18) framework have noticed that the actual AICPA publication on SOC 1 (SSAE 16/SSAE 18) provides a comprehensive listing of acceptable information for which a description of its "system" is asking for.
This may very likely result in many service organizations having to re-visit, re-work, or substantially re-write many aspects of their prior, historical SAS 70 description of "controls". In summary, some service organizations may find only marginal changes are need, while others may feel compelled to significantly change the prior SAS 70 description of "controls" to meet the intent and rigor of the SOC 1 (SSAE 16/SSAE 18) description of its "system".
The Written Assertion by Management
Additionally, service organizations must now provide a written assertion by management for SOC 1 (SSAE 16/SSAE 18) compliance. This written assertion was not required by the AICPA SAS 70 auditing standard, but now becomes a fundamental requirement of the new attestation standard.
The written assertion is simply just that, a number of "assertions" that are presented to the service auditor conducting the actual SOC 1 (SSAE 16/SSAE 18) engagement. Lastly, the written assertion can simply be included within the actual description of the service organization's "system" or attached to the description of the system itself. For assistance in helping develop a description of its system along with a written assertion by management, please contact a well-qualified, PCAOB CPA firm that specializes in SOC 1 (SSAE 16/SSAE 18) and ISAE 3402 compliance. Looking for a competitive, fixed-fee for SOC 1 (SSAE 16/SSAE 18) and all your SOC 1, 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
North America’s Premier Provider of SOC 1 (SSAE 16/SSAE 18) Audits at Fixed-Fees
The SSAE 18 standard will be used for reporting on controls at service organizations, and as such, the term "service organization" is defined as an organization providing services to "user entities", for which these services are likely to be relevant to these user entities' internal control for financial reporting. Thus, the term "user entity" is simply an organization using the service of a service organization.
Clearly, the definition of a "service organization" for purposes of SOC 1 (SSAE 16/SSAE 18) reporting can seem somewhat technical and ambiguous, but what's more important to understand and grasp than the definition itself are the following:
- What are common examples of service organizations and the industries and business sectors they represent?
- Why are service organizations being required to become SOC 1 (SSAE 16/SSAE 18) compliant?
- What trends will play out in the coming years for service organizations regarding regulatory compliance requirements?
SOC 1 (SSAE 16/SSAE 18) compliance will no doubt require a large number of service organizations to undergo an examination for reporting on controls, ultimately resulting in the issuance of a SOC 1 (SSAE 16/SSAE 18) Type 1 or SOC 1 (SSAE 16/SSAE 18) Type 2 report. With that said, listed below are a sample of industries and business sectors that are prime candidates for SOC 1 (SSAE 16/SSAE 18) compliance, or even possibly the ISAE 3402 standard.
- Software as a Service (SaaS)
- Application Service Providers (ASP)
- Credit Card Processing Platforms
- Cloud Computing | Virtualization | on demand Computing Services
- Internet Service Providers (ISP)
- Web Design and Development
- Web Hosting
- Social Media | Content Tagging and Aggregators
- Data Center and Co-Location Providers
- Managed Services
- Third Party Administrators (TPA) |
- Captive Providers
- Medical Billing
- Print and Mail Delivery
- Online Fulfillment
- Rebate Processing | Online and Mail
- Transportation Services
- Tax Credit and Empowerment Services
- Payroll Services
- Registered Investment Advisors (RIA)
Service Organizations and SOC 1 (SSAE 16/SSAE 18) & ISAE 3402
In reality, there is a large and ever-growing list of industries and business sectors that are (and will be) considered service organizations for purposes of SOC 1 (SSAE 16/SSAE 18) compliance. The sheer growth in outsourcing, coupled with rigorous mandates for security, governance, and compliance will force more and more businesses to comply with SOC 1 (SSAE 16/SSAE 18) third party reporting standards for service organizations. If your business or entity is providing critical or material outsourcing services to another entity, then you may very well be called upon to become SOC 1 (SSAE 16/SSAE 18) compliant. From processing medical claims to providing data center services to clients, just to name a few, businesses are becoming more involved than ever with other entities, thus creating a true need for reporting on controls on service organizations with the
Of interesting note is the ISAE 3402 tandard, the global standard for assurance reporting on service organizations. ISAE 3402 and SOC 1 (SSAE 16/SSAE 18) are highly similar, with few notable technical exceptions, and as such, many service organizations outside the North America may very well opt for ISAE 3402 compliance over SOC 1 (SSAE 16/SSAE 18) compliance. Ultimately, time will tell how the ISAE 3402 and SSAE 16/SSAE 18 standards play out regarding adoption and overall acceptance throughout the globe. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SOC 1 (SSAE 16/SSAE 18) and to receive a competitive, fixed-fee quote today.
The Continued Growth of SOC 2 Audits
SOC 2 is fast becoming the global default standard when it comes to service organizations having to perform annual compliance audits. The SOC 2 standard is heavily weighted towards technology driven companies as the Trust Services Principles (TSP) are well suited for the likes of data centers, cloud vendors, SaaS entities, and many others.
NDNB – North America’s Leading Provider of SOC 1 and SOC 2 Audits
In need of a SOC 1 or SOC 2 audit, then contact the regulatory compliance experts today at NDNB. Along with offering fixed-fee SOC 1 (SSAE 16/SSAE 18), SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more – all at fixed-fees. From scoping & readiness assessments to formalized audits, NDNB offers a complete lifecycle of services and solutions. Please contact us today to learn more.
SOC 1 SSAE 18 provides guidance on addressing services provided by a "subservice organization" for which service organization should strive to adhere to. First and foremost, what is a service organization? It's simply a service organization that is used by another service organization that assists in or participates in providing services to the actual user entity.
For example, if a use entity outsource medical claims processing to company A, and in turn, company A outsources various aspects of the claims processing, such as billing of medical claims, to company B, then company B would be identified as the subservice organization in this scenario. As such, company A would have an obligation to address the services provided by the subservice organization. This can be done for SOC 1 SSAE 18 reporting by utilizing the carve-out method or the inclusive method. Alternatively, a subservice organization could also undergo their very own SOC 1 SSAE 18 Type 1 or Type 2 engagement in further helping facilitate reporting requirements for the service organization.
For the carve-out method, the service organization's description of its "system" is to include the services performed by the actual subservice organization, but excludes the control objectives and related controls of the subservice organization. And though the actual control objectives and related controls of the subservice organization are excluded, management of the service organization should include within their description of its "system" the controls that are used to effectively monitor the subservice organization.
For the inclusive method, the service organization's description of its "system" is to include the services performed by the actual subservice organization, and to also include the control objectives and related controls of the subservice organization.
What's interesting to note is that many subservice organizations may in fact be deemed an actual primary service organization by another user entity, thus they may very well have to undergo SOC 1 SSAE 18 compliance themselves.