Service organizations that are new to third-party reporting on controls or who are migrating from the SSAE 16 standard to SSAE 18 should follow a comprehensive roadmap for ensuring compliance in an efficient, seamless, and cost-effective manner. Without a workable roadmap and timeline, the transition to SOC 1 SSAE 18 compliance can seem daunting indeed.
NDNB has prepared the following SOC 1 SSAE 18 Roadmap to compliance- a series of essential steps to be taken for helping your organization meets the demands of the new attestation standard.
Learn about SOC 1 SSAE 18
SOC 1 SSAE 18 brings out new reporting requirements for service organizations, and as such, these very service organizations need to gain a strong technical understanding of the following essential material:
- The service organization's description its "system"
- The written assertion by management
- The internal audit function
- Subservice organization reporting
Hire a Qualified PCAOB CPA Firm for SSAE 16 Reporting
Choose a CPA firm that specializes in regulatory compliance reporting and one that has formidable experience with the SSAE 16 auditing standard, along with a strong technical understanding of SOC 1 SSAE 18 reporting and the international equivalent ISAE 3402 standard. A competent CPA firm will help you in the following manner:
- Provide you with a fixed fee for the SOC 1 SSAE 18 engagement.
- Provide guidance in helping you produce both the description of your "system" along with the written assertion by management.
- Provide, as needed, various policies, procedures, and other templates to help remediate any weaknesses within your control environment.
Conduct a SOC 1 SSAE 18 Readiness Assessment
A SOC 1 SSAE 18 Readiness Assessment should be considered a "must have" for any service organization, regardless if you are new to the regulatory compliance arena or if you are simply migrating from the SAS 70 auditing standard. In short, a SOC 1 SSAE 18 Readiness Assessment is a proactive and useful engagement for helping to better plan and execute the overall audit. A SOC 1 SSAE 18 Readiness Assessment should encompass the following:
- Understanding the reporting requirements for SOC 1 SSAE 18.
- Developing and agreeing on the scope of a SOC 1 SSAE 18 engagement, such as control objectives to include, business process controls, physical locations for fieldwork, duration of the test period (if a SOC 1 SSAE 18 Type 2 engagement is being performed), etc.
- Providing to the service organization a series of SOC 1 SSAE 18 Readiness Questionnaires.
- Developing a gap analysis, identifying areas that may require remediation before beginning the audit.
- Identifying and discussing, if applicable, the role of the internal audit function within the service organization.
- Providing guidance and direction to the service organization regarding developing the escription of its "system" and the written assertion by management-two fundamentally important components of SOC 1 SSAE 18 reporting.
If, during the course of the SOC 1 SSAE 18Readiness Assessment, gaps were found that require remediation, it's then imperative that this is conducted before moving forward with the actual audit itself. The remediation period can and will vary from one service organization to another, and many times is the result of having inadequate procedures and other documented processes in place. Other times, it may require putting in place a number of controls or other measures for ensuring the intent and the rigor of the actual control to be tested is effectively met.
Other Essential Steps
Once you have completed remediation, the audit should effectively commence, which may begin with any number of steps, depending on the firm you work with and the course of action that has been outlined during the SOC 1 SSAE 18 Readiness Assessment phase. Generally speaking, the following measures will need to be undertaken for a SOC 1 SSAE 18 engagement:
- Scheduling fieldwork and identifying personnel.
- Developing a comprehensive list of items to be obtained and inspected during fieldwork.
- Confirming that management of the service organization has produced a description of its system and is also developing a written assertion also.
- Authoring the final SOC 1 SSAE 18 Type 1 or Type 2 report, noting any exceptions, while also providing the service organization with general post-audit comments, suggestions, and other feedback, which is generally known as "management comments".
- Having all relevant parties of the SOC 1 SSAE 18 audit participate in a formal closing meeting.