A background on SOC 1 (SSAE 16/SSAE 18) compliance ultimately requires an understanding and introduction to the AICPA Service Organization Control (SOC) framework and the concept of ICFR; Internal Controls over Financial Reporting. SSAE 16 – short for Statement on Standards for Attestation Engagements number 16, effectively replaced the antiquated and often misused historical SAS 70 auditing standard. Then, SSAE 16 itself was superseded by SSAE 18 for SOC reports datee on or after May 1, 2017. Now’s the time for you to develop a clearer and more wide-ranging sense of what, exactly, SSAE 16 is and requires.
There are two important points you should be aware of as you navigate the challenging new landscape of SOC compliance in the SOC 1 (SSAE 16/SSAE 18) era. First, SOC 1 (SSAE 16/SSAE 18) is part of the AICPA SOC framework, and, second, SOC 1 (SSAE 16/SSAE 18) assessments are performed on service organizations exhibiting a true and credible nexus to the ICFR concept.
Getting Familiar with the AICPA SOC Framework
What is the SOC framework? With so many service organizations appearing on the financial market with various requirements for reporting, the American Institute of Certified Public Accountants (often known by its acronym, AICPA) engineered a wide-ranging platform called Service Organization Control reports, or SOC for short. This all-encompassing platform is comprised of three different kinds of reports, known as SOC 1, SOC 2, and SOC 3, respectively. Each of these offer service organizations a powerful and – most importantly, flexible – tool for describing the numerous factors at play in creating the economic landscape around their organization.
This is a vast improvement on the SAS 70 auditing standard, with was often accused of applying a uniform approach to service organization reporting on controls without the capacity to reflect or respond to a service organization's individual needs and situation.
Now, this problem is all but solved, as the emergence of the AICPA SSAE 18 standard becomes the main professional standard available for issuing all SOC 1 reports. Getting to know the details of the SSAE 18 standard may be difficult for those service organizations used to using the now defunct SAS 70 (and superseded SSAE 16 auditing protocols) – which were almost universally applied – but the benefits of utilizing SSAE 18 far outweigh the challenges.
Here are a few important terms to familiarize yourself with:
- SOC 1 Reporting is used to issue SSAE 18 Type 1 or Type 2 Reports.
- SOC 2 Reporting: Uses the AICPA AT Section 101 Professional Standard and can be used to generate either Type 1 or Type 2 reports.
- SOC 3 Reporting makes use of the SysTrust/Webtrust set of assurance services (aka “Trust Services”) which serve as a vast umbrella term for a number of criteria and requirements jointly developed by the CICA and AICPA.
Understanding SOC 1 (SSAE 16/SSAE 18) and the ICFR Concept
One of the most vital parts of a SOC 1 (SSAE 16/SSAE 18) assessment contain “control objective(s)” which are able to reflect and report a service organization's internal control over financial reporting, a term more often understood by its popular acronym, ICFR. What that means, in layman's terms, for you as a service organization, is that if you’re providing services that can impact a client’s financial reporting, then you’ll need to assess your ICFR related controls.
If you're not sure of the answer or have difficulty supplying documentary evidence to support your response, you might consider opting for SOC 2 or SOC 3 reporting instead, if you find that SOC 1 (SSAE 16/SSAE 18) is not an appropriate fit. To be clear, some user organizations and companies making use of an auditor might be unsure of their status and erroneously request SOC 1 (SSAE 16/SSAE 18) compliance despite not having direct applicability to ICFR.
SOC 1 (SSAE 16/SSAE 18) - It's About Impacting Financial Reporting for YOUR Customers
When you're looking at the extent to which ICFR functions are covered and recorded by the user organization, you should start by looking at whether there's any financial data the service organization has provided directly that can also be found – in number or data form – on the user organization's financial statements. Make sure you know whether your service organization is providing any specific services that would have any influence on a) any kind of record-keeping, including accounting entries or even estimations of a user organization or b) any power to authorize transactions, such as the recognition of revenue, capital expenditures, or expense scheduling, as well as c) any physical possession of any elements, whether liability or asset, that could be found on a user's financials.
The reports we're discussing, SOC 1 (SSAE 16/SSAE 18), are designed as a conversation between auditor and auditor about what ICFR functions are already in place (that's what Type 1 is for) and their operating effectiveness (Type 2) at measuring and managing audit risk as well as detection risk: information that is useful not only to external auditors but also for auditors working at or in the user organization.
By and large, the ideal companies to undertake SOC 1 (SSAE 16/SSAE 18) compliance are those such as TPAs (Third Party Administrators, payroll processors, registered investment advisors (RIA), or actuarial/trust services. What's important is that you're able to recognize a strong bond between the ICFR concept and the SOC 1 (SSAE 16/SSAE 18) reporting framework.
Example of SOC 1 (SSAE 16/SSAE 18) and ICFR Applicability
To use one example: in a given service organization (let's say, a payroll processor), various calculations derived from user input are used to determine things such as payroll taxes, expenses, accrued payroll, accrued vacation deferral, qualified and non-qualified deferred plan accruals, and similar estimates and calculations about future financial activity that will have an impact on the financial statements of the user organizations they represent.
Service Organization Control (SOC) 1 reports are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18. SSAE 18 has essentially replaced the aging and historical SAS 70 and SSAE 16 auditing standards for reporting periods dated on or after May 1, 2017. Much like SAS 70, SSAE 18 provides two (2) reporting options; Type 1 a service organization's system and the suitability of the design of controls", while a SOC 1 SSAE 18 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
A SOC 1 SSAE 18 Type 2 data center compliance checklist is essential for ensuring your facility fundamentally comprehends and understands all critical issues considered in-scope for today’s data centers and managed services providers. From providing basic “ping, power, and pipe” to essential managed O/S and application practices, data center SOC 1 SSAE 18 Type 2 assessments can vary widely, so take note of the following tips, guidelines and recommendations for reporting, provided by NDNB Accountants & Consultants.
1. SOC 1 vs. SOC 2 for Data Centers. A growing debate amongst practitioners in the world of regulatory compliance is “what’s a better fit” for data center compliance, SOC 1 SSAE 18 Type 2 reporting or SOC 2 AT 101 reporting? This debate has intensified in recent years, as both sides put forth credible merits for using either SOC 1 or SOC 2. Interestingly, many CPA firms now actually issue both SOC 1 and SOC 2 reports for data centers, with the SOC 2 report many times limited to just one or two of the actual five (5) Trust Services Principles. Whichever reporting option you choose, you should be fine (provided your SOC 1 report includes ICFR control tests), just remember to educate your clients on why you’ve chosen one over the other. If you decide to follow the trend of conducting both SOC 1 and SOC 2 reports, then you’re obviously fine.
2. Important Scope Considerations. Data centers are a business model like no other, offering a multitude of products and services for meeting customer’s needs and demands. It’s critically important to develop an audit scope that covers the minimum industry accepted baseline controls, while also providing any additional scope parameters for specialized services, such as managed hosting, cloud platforms. As for the “minimum industry accepted baseline controls”, a data center should include testing for the following operational and information security areas:
- Executive Tone | Senior Management Initiatives.
- Human Resources.
- Customer Contract and Provisioning Process (Legal, administrative and all “onboarding” processes).
- Change Management (for internal systems and customer facing environments).
- Incident Response | Customer Support Services.
- Shipping and Receiving Activities.
- Logical Security (Access rights to both internal systems and customer facing environments).
- Physical Security.
- Environmental Security.
- Backup, Replication, and Archival.
3. Managed Services. Many data centers offer much more than just traditional “ping, power, and pipe” - specifically - growing service lines include that of managed services for O/S and even application levels. Depending on customer needs, requirements, and overall expectations, SOC 1 SSAE 18 Type 2 data center compliance should include testing of these environments in regards to any number of control considerations, ranging from user access, network monitoring and performance, backups, etc. This is where’s it’s critical to communicate with all intended parties regarding the contents of such a report as expectations need to be met for comprehensive reporting.
4. SOC 1 SSAE 18 Type 2 Reporting Platform. “Flexibility” – it’s probably one of the best words to describe the SOC 1 SSAE 18 Type 2 reporting platform as it allows service organizations to essentially develop and test for controls they deem in-scope and relevant. Ultimately, this allows data centers to test a wide-array of control objectives for compliance, which provides tremendous value – according to supporters of the SSAE 18 standard for data centers.
5. SOC 2 AT 101 Reporting Platform. “Prescriptive” – without question the best term used to describe SOC 2 reporting as the Trust Services Principles (TSP) provide clear language on the relevant “criteria” to test for. Supporters of SOC 2 compliance reporting for data centers see this as comprehensive framework for testing a wide-array of technology related platforms, especially considering that there’s five (5) TSP to choose from.
6. Audit Efficiencies for SOC 1 | SOC2 and more. With an ever growing list of regulatory compliance mandates, it’s critically important to begin undertaking audit efficiencies – specifically – collecting essential evidence for overlapping areas of today’s main compliance initiatives. Hiring a proven and trusted audit firm – such as NDNB Accountants & Consultants – can make all the difference in time and money spent on.
The phrase "SOC 1 SSAE 18 Type 2 compliant" is used quite a bit these days by businesses in marketing themselves as an entity that's undertaken the rigorous assessment process with regards to the well-known AICPA attestation standard - SSAE 18. But what does "SOC 1 SSAE 18 Type 2 Compliant" really mean - quite a bit - so NDNB, has provided the following list of helpful pieces of information and subject matter relating to Statement on Standards for Attestation Engagements (SSAE) No. 18.
1. The AICPA SOC Framework. SSAE 18 is actually the professional standard used for issuing SOC 1 reports in accordance with the American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework, which consists of SOC 1 (SSAE 18) along with SOC 2 and SOC 3 (AT 101) reporting. Additionally, the SSAE 18 standard effectively replaced the aging and antiquated SSAE 16 and SAS 70 auditing standards that had been in use for approximately twenty-five (25) years.
2. Define Scope. Different CPA firms have different methods for auditing service organizations when it comes to SOC 1 SSAE 18 Type 2 Compliant reporting, and that's because the SSAE 18 standard – unlike many other compliance initiatives (i.e. PCI DSS, HITRUST, etc.) is not "prescriptive" in nature. More specifically, it only comes with a lightly enforced framework, one that's open to wide interpretations from auditors, service organizations, and other interested parties. To be fair, it's to the advantage of the industry as a whole as service organizations can be radically different entities with completely different operational environments from one to the other. As a result, the SSASE 18 standard has to be flexible and adaptive, not prescriptive.
3. It's an Annual Commitment. While we will stop short of calling it an annual "requirement", customers and other intended users of SOC 1 SSAE 18 Type 2 reports will come to expect - and demand - such reporting on an annual basis. The "one and done" approach unfortunately does not work in today's world of growing regulatory compliance mandates.
4. There is NO Certification. I repeat, this is NOT a certification, a seal or any other type of designated certificate - it does not work that way. Specifically, SOC 1 SSAE 18 Type 2 Compliant essentially means that a service organization has undergone attest procedures in accordance with the AICPA professional standard, resulting in the issuance of a service auditor's report. The phrase "SOC 1 SSAE 18 Type 2 Compliant" - is a better statement than that of the incorrect "certification" verbiage.
5. Start with a Readiness Assessment. Not sure on where to begin if SOC 1 SSAE 18 Type 2 Compliance is being requested by customers and other parties - begin with a comprehensive and cost-effective SOC 1 SSAE 18 readiness assessment, one that covers all issues regarding an audit of this type. Crawling before you walk - as the old saying goes - is not a bad idea! Talk to the experts at NDNB Accountants & Consultants today. Learn more about
SOC 1 SSAE 18 Type 2 reports are common practice in today’s world of regulatory compliance as organizations continue to outsource critical services to other organizations, effectively known as “service organizations”. Considering outsourcing to a third-party, or perhaps your organization has been asked to undertake SOC 1 SSAE 18 Type 1 and/or Type 2 reporting compliance - if so - take note of the following important points, brought to you by NDNB.
1. Understand the SOC framework and SSAE 18. After years of faithful service, the longstanding SAS 70 auditing standard - along with SSAE 16 - were finally put to rest, effectively replaced by the American Institute of Certified Public Accountants’ (AICPA) Service Organization Control (SOC) reporting framework, consisting of the following: SOC 1 SSAE 18, SOC 2 AT 101, and SOC 3 AT101. Three (3) different reporting options for helping meet the needs of today’s growing, expanding, and complex service organizations, many of which rely heavily on information technology. As for SOC 1 SSAE 18 and SOC 2 AT 101 reporting, service organization can opt for Type 1 and/or Type 2 reports. The SOC framework was long overdue and its now being actively embraced by many involved in service organization reporting.
3. Readiness Assessments. Crawling before you walk is not a bad suggestion, so it’s a good idea to engage with a CPA firm in conducting an actual SOC 1 SSAE 18 Type 2 report Readiness Assessment – a proactive and useful engagement for helping unearth any necessary areas for remediation. Because most companies are very good at what they do, but often lack in the area of documentation, readiness assessments often find gaps with operational and information security documents, which can be time-consuming and taxing to write, but they’re a must when it comes to SOC 1 SSAE 18 reporting.
4. Two notable reporting requirements. For SOC 1 SSAE 18 Type 2 reporting, it's important to note that management of the service organization has two (2) distinct deliverables: (1). Providing a description of its "system", along with a written statement of assertion. Both are fairly straightforward, yet actually authoring the description of one's "system" can be a fairly time-consuming process as it's looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. As for management's written statement of assertion, a competent, well-qualified CPA firm can provide a template.
5. Welcome to regulatory compliance. Generally speaking, once you've performed your initial SOC 1 SSAE 18 Type 2 report, clients, regulators - and all other intended parties - will continue to expect (and demand) annual compliance, so keep this in mind.
SOC 1 (SSAE 18) Type 2 compliance audits are being performed on a large and ever-growing number of service organizations as the AICPA standard has become - much like the historical SAS 70 and SSAE 16 auditing standards were for 25 years - the de facto third-party internal control reporting framework. Many service organizations are new to SOC 1 (SSAE 18), being pushed into the world of regulatory compliance from demanding customers along with regulators wanting to inquire about a company’s internal controls. With that said, it’s important to take note of the following 5 items regarding SOC 1 (SSAE 18) compliance audits, brought to you by NDNB.
1. The AICPA SOC framework. The American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework consists of SOC 1, SOC 2, and SOC 3 reporting, for which SSAE 18 is the professional standard used for SOC 1 reporting purposes. Hence, service organizations can receive a SOC 1 Type 1 and/or a SOC 1 Type 2 report. Long gone are the "one-size-fits-all" SAS 70 and SSAE 16 audit approach, effectively replaced by reporting options that reflect today's complex technology driven business landscape. For an ounce of clarity, just remember that SSAE 18 is the professional standard for SOC 1, while AT 101 is the professional standard used for SOC 2 and SOC 3 reporting. A competent, well-qualified CPA firm, such as NDNB can help clarify and answer any questions regarding SOC reporting.
2. Description of the “system”. For SOC 1 (SSAE 18) Type 2 compliance (and for Type 1 reporting also), management of the service organization is to develop a description of its “system”, which is the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The description should adequately illustrate many of the service organization’s daily operational procedures, information security safeguards and controls, along with other important measures. NDNB - a nationally recognized CPA firm, can assist in helping service organizations develop their description of its “system”.
3. Written Statement of Assertion by management. Along with the description of its “system”, SOC 1 (SSAE 18) Type 2 compliance requires management of the service organization to provide the service auditor (i.e., the CPA performing the actual engagement) with a written statement of assertion whereby management effectively asserts to a number of clauses and provisions. This is a new component of the AICPA SOC framework, yet it’s relatively straightforward and many examples can be found online. Additionally, speaking with a competent, well-qualified PCAOB CPA firm, such as NDNB, is a good place to start.
4. SOC 1 (SSAE 18) vs. SOC 2 AT 101. Because SOC 1 SSAE 18 reporting is “technically” geared towards service organizations having a credible nexus with the ICFR concept - internal control over financial reporting - technology companies may want to look at SOC 2 reporting. SOC 2 and SOC 3 reporting are an ideal fit for many of today’s technology oriented service organizations as the Trust Services Principles (TSP) generally help better illustrate control environments for data centers, managed services providers, software as a service (SaaS) organizations, etc. Though SOC 1 SSAE 18 Type 2 reporting is considered the more well-known platform, SOC 2 deserves merit also. Learn more about the SOC 1 vs. SOC 2 debate.