System and Organization Controls (SOC) 1 reports are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18. SSAE 18 has essentially replaced the aging and historical SAS 70 and SSAE 16 auditing standards for reporting periods dated on or after May 1, 2017. Much like SAS 70, SSAE 18 provides two (2) reporting options; Type 1 a service organization's system and the suitability of the design of controls", while a SOC 1 SSAE 18 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
Why the Need for a New Standard - From SAS 70 to SSAE 16 to SSAE 18
While the SAS 70 audit standard became highly misused – ultimately straying from its original intent – the new SOC 1 SSAE 18 standard has been developed specifically for service organizations showing a true relationship with the ICFR concept – Internal Controls over Financial Reporting. More specifically, SOC 1 SSAE 18 Type 1 and Type 2 reports under the SOC 1 reporting framework represent a sincere effort by the AICPA to utilize this new attestation standard in the very manner for which the original SAS 70 standard was designed for, which is “reporting on controls” related to that of financial matters.
To learn more about SOC 1 SSAE 18 and the AICPA SOC framework, visit the official SOC Report Guide, developed exclusively by NDNB Accountants & Consultants, LLP (NDNB), which provides important information on the following topics:
- Introduction to SOC 1 SSAE 18
- Why a New Standard?
- Responsibilities and Requirements for SOC 1 SSAE 18 assessments.
- Description of the Service Organization's "system" for SOC 1 SSAE 18 compliance.
- The Written Assertion by Management.
As for some good advice regarding SOC 1 SSAE 18 compliance, remember the following:
1. Conduct a Readiness Assessment: You’ll need to know what – if any – areas within one’s control environment require remediation prior to beginning an actual SOC 1 SSAE 18 audit. After all, walking straight into an assessment with little or no preparation is a recipe for disaster as every entity has something that requires fixing or correcting before the audit commences. Is it really a good idea to walk straight into an SOC 1 SSAE 18 assessment without doing any type of preliminary work, such as identifying scope, control issues, and more? No, it’s not, so talk to the experts today at NDNB about performing a brief, cost-effective, and highly beneficial SOC 1 SSAE 18 readiness assessment today.
2. Expect to Remediate Issues: No company has a picture perfect control environment – nobody – so you can truly expect some form of remediation to take place, such as developing processes and procedures, implementing system configuration changes, etc. The degree and depth of remediation really depends on the maturity of one’s control environment.
4. Compliance is an Annual Commitment: Once you being the process of SOC 1 SSAE 18 compliance, you can fully expect annual compliance reporting to be the norm, it’s the new world of regulatory compliance we live in. And it’s also why finding and working with a qualified CPA firm with years of compliance expertise just makes sense. You can lock in a long-term price contract, gain familiarity with their auditing processes, ultimately building confidence in your internal control environment.
5. Lastly – and for an ounce of clarity – just remember the following: (1). SOC 1 SSAE 18 reporting is financially driven – specifically – companies offering services that can impact a client’s financials perform these types of audit. (2). The SOC 2 reporting standard is highly applicable for technology service organizations – SaaS and cloud computing, etc.
SOC 1 SSAE 18 Experts | Talk to NDNB
As one of North America’s leading provider of SOC 1 SSAE 18 – and SOC 2 audits – NDNB has the depth, experience, and audit “know-how” for helping businesses succeed in today’s world of regulatory compliance – and we do it all. From helping develop processes and procedures to performing the actual assessments, NDNB is with you every step of the way.
NDNB also offers comprehensive SOC 1 and SOC 2 audits for businesses using Amazon AWS, Microsoft Azure, and Google GCP. And if you're using AWS for hosting of your production environment, here's what you need to know NOW about SOC 2 audits