SOC 1 (SSAE 18) Type 2 compliance audits are being performed on a large and ever-growing number of service organizations as the AICPA standard has become - much like the historical SAS 70 and SSAE 16 auditing standards were for 25 years - the de facto third-party internal control reporting framework. Many service organizations are new to SOC 1 (SSAE 18), being pushed into the world of regulatory compliance from demanding customers along with regulators wanting to inquire about a company’s internal controls. With that said, it’s important to take note of the following 5 items regarding SOC 1 (SSAE 18) compliance audits, brought to you by NDNB.
1. The AICPA SOC framework. The American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework consists of SOC 1, SOC 2, and SOC 3 reporting, for which SSAE 18 is the professional standard used for SOC 1 reporting purposes. Hence, service organizations can receive a SOC 1 Type 1 and/or a SOC 1 Type 2 report. Long gone are the "one-size-fits-all" SAS 70 and SSAE 16 audit approach, effectively replaced by reporting options that reflect today's complex technology driven business landscape. For an ounce of clarity, just remember that SSAE 18 is the professional standard for SOC 1, while AT 101 is the professional standard used for SOC 2 and SOC 3 reporting. A competent, well-qualified CPA firm, such as NDNB can help clarify and answer any questions regarding SOC reporting.
2. Description of the “system”. For SOC 1 (SSAE 18) Type 2 compliance (and for Type 1 reporting also), management of the service organization is to develop a description of its “system”, which is the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The description should adequately illustrate many of the service organization’s daily operational procedures, information security safeguards and controls, along with other important measures. NDNB - a nationally recognized CPA firm, can assist in helping service organizations develop their description of its “system”.
3. Written Statement of Assertion by management. Along with the description of its “system”, SOC 1 (SSAE 18) Type 2 compliance requires management of the service organization to provide the service auditor (i.e., the CPA performing the actual engagement) with a written statement of assertion whereby management effectively asserts to a number of clauses and provisions. This is a new component of the AICPA SOC framework, yet it’s relatively straightforward and many examples can be found online. Additionally, speaking with a competent, well-qualified PCAOB CPA firm, such as NDNB, is a good place to start.
4. SOC 1 (SSAE 18) vs. SOC 2 AT 101. Because SOC 1 SSAE 18 reporting is “technically” geared towards service organizations having a credible nexus with the ICFR concept - internal control over financial reporting - technology companies may want to look at SOC 2 reporting. SOC 2 and SOC 3 reporting are an ideal fit for many of today’s technology oriented service organizations as the Trust Services Principles (TSP) generally help better illustrate control environments for data centers, managed services providers, software as a service (SaaS) organizations, etc. Though SOC 1 SSAE 18 Type 2 reporting is considered the more well-known platform, SOC 2 deserves merit also. Learn more about the SOC 1 vs. SOC 2 debate.