There are a number of SOC 1 requirements for surh reports that service organizations should be aware of. The SSAE 18 standard, which effectively replaced the SSAE 16 auditing standard for opinion letters dated on or after May 1, 2017, has quickly become the global de facto reporting option for service organizations, thus it's important to take note of the following SOC 1 requirements, along with general notes and comments that will help all interested parties learn more about SOC 1 reporting:
1. Description of the "system": Management of the service organization is ultimately responsible for providing what's technically known as the description of its "system" - which is the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
SAS 70 had a similar requirement called a description of "controls", but the SSAE 16 description - and now, the SSAE 18 description - of one's "system" is looked upon as a more detailed and comprehensive requirement than that of SAS 70's description of controls. And though there are not hard and fast rules on how to document one's system, and to what extent, service organizations should really try to include as much relevant information as possible.
2. Written statement of assertion by management: Additionally, management of the service organization must also provide the service auditor with a written statement of assertion - that is - a document that effectively asserts to a number of important provisions and clauses relating to the engagement itself. This "assertion" was never a requirement for the previous SAS 70 auditing standard, but now forms an important component of service organization reporting for SSAE 16, and now, SSAE 18. A competent and well-qualified IR CPA firm can assist service organizations in drafting this "assertion", as it essentially has been pre-written by the American Institute of Certified Public Accountants (AICPA) within a number of their Service Organization Control (SOC) publications.
3. SSAE 18 Standard: This is the AICPA attestation standard that fundamentally reshaped the entire third-party reporting platform for service organizations. Specifically, SSAE 18 superseded and effectively replaced the SSAE 16 auditing standard for opinion letters dated on or after May 1, 2017. Furthermore, SSAE 18 has become the professional standard for which the SOC 1 framework is based upon, allowing service organizations to undergo SOC 1 SSAE 18 Type 1 and SOC 1 SSAE 18 Type 2 reporting.
4. AICPA Service Organization Control (SOC) Reporting Platform. There’s been quite a bit of talk about the AICPA “SOC” platform, so what’s important to note are the three (3) reporting options, SOC 1, SOC 2, and SOC 3. While SOC 1 was designed for service organizations who have a true nexus with the ICFR concept (Internal Control over Financial Reporting), SOC 2 and SOC 3 are aimed at many of today’s technology oriented service organizations, such as data centers, cloud computing vendors, managed service providers, and others. And while the adoption of SOC 2 and SOC 3 has been a little slower than anticipated, awareness for these reporting options is gaining ground. SOC 1, however, continues to be the dominating force for reporting on controls at service organizations.
5. SOC 1 vs. SOC 2. Though SOC 1 is considered the more well-known and often used reporting platform for today’s service organizations, SOC 2 demands equal merit and attention, and for a number of credible reasons. First, it’s a great reporting option for service organizations that don’t have a true relationship or “nexus” with the ICFR concept – Internal Control over Financial Reporting. Second, for many of today’s technology oriented service organizations, SOC 2, and the five (5) accompanying Trust Services Principles (TSP), are an excellent platform for reporting on controls related to (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality, and (5). Privacy. And don’t forget that SOC 3, which also utilizes the Trust Services Principles, is another great option for reporting on controls.
Other notable topics worth exploring regarding SOC compliance are the following:
• What is a service organization?
• Subservice organization reporting
• AT 101
• SOC 3 compliance
Contact Christopher G. Nickell, CPA, to learn more about SOC 1 (SSAE 18 reporting) and NDNB’s competitive, fixed-fee pricing for SOC 1, SOC 2 and SOC 3 reports. He can be reached at 1-800-277-5415, ext. 706, or at This email address is being protected from spambots. You need JavaScript enabled to view it., today.
