SOC 1 (SSAE 16/SSAE 18) Service Organization Responsibilities and Requirements

While SOC 1 (SSAE 16/SSAE 18) requires management of the service organization to provide a description of its "system" along with also producing a written assertion, there are also a number of other requirements and responsibilities to be undertaken for SOC 1 (SSAE 16/SSAE 18) reporting.

Though much has been written and discussed regarding the description of the "system" and the written assertion, it's important to also gain an understanding of the following key issues regarding SOC 1 (SSAE 16/SSAE 18):

  • Monitoring of Controls" concept
  • "The Identification of Risks"
  • "Suitable Criteria" concept

Why? Because these concepts constitute a critical component of the actual service organization's description of its "system" along with the written assertion, both of which management must provide for SOC 1 (SSAE 16/SSAE 18) reporting.

Understanding the Importance of "Monitoring" of Controls for SOC 1 (SSAE 16/SSAE 18)

SOC 1 (SSAE 16/SSAE 18) reporting allows for management's monitoring activities to provide evidence regarding the design and operating effectiveness of controls; ultimately allowing the service organization to use the concept of "monitoring" as a key principle in support of the written assertion. In simpler terms, "monitoring" is a process for which the effectiveness of internal controls are assessed by activities that are generally built into the day-to-day operations of many service organizations, along with separate evaluations.

A service organization's monitoring activities for purposes of SOC 1 (SSAE 16/SSAE 18) reporting can include the following:

  • Evaluations of daily operations
  • Management and supervisory activities
  • Internal audit functions
  • System checks and balances | Manual checks and balances
  • Communication with third party entities
  • Additional safeguards, controls, processes, procedures, and oversight activities that assist in monitoring a service organization’s system.

Understanding "Identification of Risks" and "Suitable Criteria" Concepts

Regarding SOC 1 (SSAE 16/SSAE 18) "Identification of Risks" concept, management is essentially responsible for identifying risks that threaten the achievement of the stated control objectives that are found within the description of the "system". In simpler terms, what processes, both formal and informal, does management have in place for identifying risks? Is an annual risk assessment process undertaken every year by the service organization? Does your risk assessment process include a comprehensive analysis of your control environment and the related control objectives that are to be included within the description of the "system"? Do your control objectives adequately address all risks for which your organization seeks to mitigate?

And finally, the SOC 1 (SSAE 16/SSAE 18) "Suitable Criteria" concept is one that is grounded in the assumption that management of the service organization is responsible for selecting the criteria and its appropriateness. Furthermore, the "suitable criteria" concepts states that the subject matter is to be capable of being evaluated against "criteria" considered suitable for intended users. In simpler terms, the subject matter, which is known as management's description of its "system", is to be evaluated against certain criteria, which are elements that constitute the fairness of the presentation of the service organization's system. Additionally, the suitability of the design of controls (SOC 1 (SSAE 16/SSAE 18) Type 1) and the operating effectiveness of controls (SOC 1 (SSAE 16/SSAE 18) Type 2) must also be evaluated against suitable criteria.

The Importance of Management's Written Assertion for SOC 1 (SSAE 16/SSAE 18)

What's fundamentally important to note about these three concepts ("Monitoring of Controls", "The Identification of Risks", "Suitability Criteria") is they all play a critical role in helping management of the service organization in developing and providing their description of its "system" along with the written assertion for SSAE 16 reporting.  Thus, be advised that management's written assertion will contain specific references to the "criteria" clause.  Looking for a competitive, fixed-fee for all your SOC 1 (SSAE 16/SSAE 18), SOC 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.

The Emergence of SOC 2 Reports

Furthermore, while SOC 1 (SSAE 16/SSAE 18) is one of the most well-known and respected compliance frameworks in the world, SOC 2 assessments are actually outpacing and surpassing SOC 1 (SSAE 16/SSAE 18). This is due primarily to the large growth of technology, and how the SOC 2 standard was essentially developed for evaluating control environments for technology oriented companies. From data centers to cloud vendors, software developer, and more, SOC 2 is becoming the preferred third-party assessment, and rightfully so.

NDNB – North America’s Leading Providers of SOC 1 and SOC 2 Audits – Fixed Fees

When it comes to regulatory compliance, turn to the trusted experts today at NDNB. Visit ssae16.org today to learn more about SOC 1 and SOC 2 audits, along with numerous complimentary services offered by us. NDNB also offers SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, along with many other specialty services, so contact us today to learn more.