There are numerous SOC 1 SSAE 18 Type 2 audit requirements for compliance that service organizations should be aware of for helping ensure an efficient, transparent and cost-effective process, from beginning to end. Ever since the SSAE 18 standard replaced the SSAE 16 auditing standard (for reports dated on or after May 1, 2017), service organizations have been working hard to conform with the new requirements - which, to be fair - are not too terribly taxing. Sure, there’s a number of administrative changes brought about by SSAE 16, ultimately requiring service organization to have a strong understanding of the following:
1. SAS 70 and SSAE 16 reports are no longer being issued. For approximately twenty-five years (April 1992 - April, 2017), the SAS 70 and SSAE 16 auditing standards were the global de facto compliance platforms for reporting on controls at service organizations, but much has changed in the business world (most notably, the advancement of technology), resulting in major changes for third-party internal control reporting.
2. AICPA SOC Framework. Say goodbye to SAS 70 and SSAE 16 and hello to the AICPA System and Organization Controls (SOC) reporting framework, which offers three (3) reporting options for service organizations: SOC 1 SSAE 18 | SOC 2 AT 101 | SOC 3 AT 101.
3. Description of its “system”. SOC 1 SSAE 18 also requires management of the service organization to develop a description of its “system”, which is essentially the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. A well-qualified, IR CPA firm can assist service organizations in better planning and writing an actual description of one’s “system”.
4. Written statement of assertion by management. Along with the description of its “system”, SOC 1 SSAE 18 also requires that management of the service organization provide a written statement of assertion - a statement whereby by management effectively asserts to a number of critical clauses and provisions relating to the actual SSAE 16 assessment. This is a new requirement when compared to the historical SAS 70 auditing standard, for which a competent, experienced IR CPA firm can assist you in developing the written statement of assertion.