As for Items 6 through 10 of the SOC 1 SSAE 18 audit checklist, please note the following:
6. Assign roles and responsibilities to internal personnel. Again, another concept that sounds relatively straightforward, yet challenges often arise when deliverables come due. From answering SOC 1 SSAE 18 readiness questionnaires offered up by CPA firms, to gaining valuable audit evidence, roles and responsibilities need to be clear and transparent.
7. Assist in authoring the final report. The actual deliverable for a SOC 1 SSAE 18 engagement is known as the Service Auditor’s Report, a lengthy document that highlights numerous operational and business process activities undertaken by the service organization. This is technically known as the description of the “system”, and service organizations are required to produce one. Look upon the description of the “system” as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The key to authoring a well-written and comprehensive description of one’s “system” is to work with a CPA firm specializing in SOC 1 SSAE 18 compliance, such as NDNB.
8. Provide a written statement of assertion. Along with the description of its “system”, management of the service organization must also provide a written statement of assertion as part of its SOC 1 SSAE 18 reporting requirements. The “assertion” – as it’s commonly called – is essentially a document for which the service organization is asserting to a number of essential clauses and provisions regarding the SOC 1 SSAE 18 assessment process itself. Your CPA firm conducting the engagement can provide you with a written statement of assertion template. Interestingly, the assertion was never a requirement with the previous SAS 70 auditing standard, which had been in place for approximately twenty (20) years (April, 1992 to June 15, 2011), but it became a requirement for SSAE 16, and continues on for SOC 1 SSAE 18.
9. SSAE 18 is a moving target, so plan accordingly. SSAE 18 is not a "one and done" concept, sure, the actual SOC 1 SSAE 18 Type 2 assessment may only be done once a year, but service organizations should strive to conduct activities on a quarterly basis for assisting with one's compliance mandates. Specifically, gathering audit evidence and working with your external CPA firm conducting the annual assessment is a smart move, one that results in efficiency for both sides. Talk to your CPA and establish quarterly milestones throughout the year for your annual SOC 1 SSAE 18 Type 2 report.
10. Determine the appropriate users of the report. In recent years, there’s been much debate on who can obtain a SOC 1 SSAE 18 report – and more importantly – what part of the report should be distributed. Generally speaking, only “intended users” should be given access to a SOC 1 SSAE 18 report – and even then – only a brief summary, such as the auditor “opinion page” should be released. However, many “intended users” prefer or even demand access to the entire report. The point is to readily assess your client’s demands regarding SSAE 16 reporting, and what specifically they expect to receive in terms of reporting.
Read Part I of the SOC 1 SSAE 18 audit checklist.