Provide a Written statement of assertion by management. Management of the service organization must also provide a written statement of assertion to the actual practitioner (i.e., CPA) performing the SOC 1 SSAE 18 Type 1 or Type 2 engagement. This written assertion requires management to effectively assert to a number of provisions relating to the actual SSAE 18 standard and the overall assessment process. The written assertion is a new requirement for service organization reporting, something that was not a part of the SAS 70 auditing standard, which was in use from April, 1992 to June 15, 2011, but was in use with the SSAE 16 auditing standard. NDNB Accountants & Consultants can provide service organizations with a template to use, which can also be found within many of the AICPA publications, available at cpa2biz.com.
Learn about Subservice organization reporting. Subservice organization reporting comes into play essentially when one service organization utilizes the services of another service organization, hence, creating subservice organization reporting requirements. Thus, the “inclusive” and “carve-out” methods are used for reporting on these very subservice organizations for purposes of SOC 1 SSAE 18 Type 1 and Type 2 compliance.
Consider the Internal Audit Function. Many service organizations have internal operational staff (or even outsourced auditors) that assist in many day-to-day internal audit functions. This is important to note as the internal audit function itself can become an important component of SOC 1 SSAE 18 audit requirements – provided certain criteria has been met, such as the following:
• The objectivity along with the overall competency of the group (technical and professional competency.
• Is due professional care used when the work is being performed by the internal audit function?
• Can the internal audit function of the service organization effectively communicate with the service auditor in a transparent and professional manner for helping facilitate the SOC 1 SSAE 18 engagement?
Other topics of Interest regarding SOC 1 SSAE 18 audit requirements include the following:
Go to Part I of the SOC 1 SSAE 18 Audit Requirements white paper.