SOC 1 SSAE 18 Type 2 reports are common practice in today’s world of regulatory compliance as organizations continue to outsource critical services to other organizations, effectively known as “service organizations”. Considering outsourcing to a third-party, or perhaps your organization has been asked to undertake SOC 1 SSAE 18 Type 1 and/or Type 2 reporting compliance - if so - take note of the following important points, brought to you by NDNB.
1. Understand the SOC framework and SSAE 18. After years of faithful service, the longstanding SAS 70 auditing standard - along with SSAE 16 - were finally put to rest, effectively replaced by the American Institute of Certified Public Accountants’ (AICPA) Service Organization Control (SOC) reporting framework, consisting of the following: SOC 1 SSAE 18, SOC 2 AT 101, and SOC 3 AT101. Three (3) different reporting options for helping meet the needs of today’s growing, expanding, and complex service organizations, many of which rely heavily on information technology. As for SOC 1 SSAE 18 and SOC 2 AT 101 reporting, service organization can opt for Type 1 and/or Type 2 reports. The SOC framework was long overdue and its now being actively embraced by many involved in service organization reporting.
2. Scoping is critical. Scope is the main driver for all critical components of SOC 1 SSAE 18 Type 2 reporting, such as price, duration, complexity, etc. Because of this, it’s very important to unearth the “who, what, when, where, and why” for an engagement of this type, which means discussing what business processes are to be included, physical locations to visit, number and type of control objectives and subsequent test, etc. It’s therefore essential to work with a well-qualified, IR CPA firm, one with years of experience performing internal control assessments. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.
3. Readiness Assessments. Crawling before you walk is not a bad suggestion, so it’s a good idea to engage with a CPA firm in conducting an actual SOC 1 SSAE 18 Type 2 report Readiness Assessment – a proactive and useful engagement for helping unearth any necessary areas for remediation. Because most companies are very good at what they do, but often lack in the area of documentation, readiness assessments often find gaps with operational and information security documents, which can be time-consuming and taxing to write, but they’re a must when it comes to SOC 1 SSAE 18 reporting.
4. Two notable reporting requirements. For SOC 1 SSAE 18 Type 2 reporting, it's important to note that management of the service organization has two (2) distinct deliverables: (1). Providing a description of its "system", along with a written statement of assertion. Both are fairly straightforward, yet actually authoring the description of one's "system" can be a fairly time-consuming process as it's looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. As for management's written statement of assertion, a competent, well-qualified CPA firm can provide a template.
5. Welcome to regulatory compliance. Generally speaking, once you've performed your initial SOC 1 SSAE 18 Type 2 report, clients, regulators - and all other intended parties - will continue to expect (and demand) annual compliance, so keep this in mind.