The phrase "SOC 1 SSAE 18 Type 2 compliant" is used quite a bit these days by businesses in marketing themselves as an entity that's undertaken the rigorous assessment process with regards to the well-known AICPA attestation standard - SSAE 18. But what does "SOC 1 SSAE 18 Type 2 Compliant" really mean - quite a bit - so NDNB, has provided the following list of helpful pieces of information and subject matter relating to Statement on Standards for Attestation Engagements (SSAE) No. 18.
1. The AICPA SOC Framework. SSAE 18 is actually the professional standard used for issuing SOC 1 reports in accordance with the American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework, which consists of SOC 1 (SSAE 18) along with SOC 2 and SOC 3 (AT 101) reporting. Additionally, the SSAE 18 standard effectively replaced the aging and antiquated SSAE 16 and SAS 70 auditing standards that had been in use for approximately twenty-five (25) years.
2. Define Scope. Different CPA firms have different methods for auditing service organizations when it comes to SOC 1 SSAE 18 Type 2 Compliant reporting, and that's because the SSAE 18 standard – unlike many other compliance initiatives (i.e. PCI DSS, HITRUST, etc.) is not "prescriptive" in nature. More specifically, it only comes with a lightly enforced framework, one that's open to wide interpretations from auditors, service organizations, and other interested parties. To be fair, it's to the advantage of the industry as a whole as service organizations can be radically different entities with completely different operational environments from one to the other. As a result, the SSASE 18 standard has to be flexible and adaptive, not prescriptive.
3. It's an Annual Commitment. While we will stop short of calling it an annual "requirement", customers and other intended users of SOC 1 SSAE 18 Type 2 reports will come to expect - and demand - such reporting on an annual basis. The "one and done" approach unfortunately does not work in today's world of growing regulatory compliance mandates.
4. There is NO Certification. I repeat, this is NOT a certification, a seal or any other type of designated certificate - it does not work that way. Specifically, SOC 1 SSAE 18 Type 2 Compliant essentially means that a service organization has undergone attest procedures in accordance with the AICPA professional standard, resulting in the issuance of a service auditor's report. The phrase "SOC 1 SSAE 18 Type 2 Compliant" - is a better statement than that of the incorrect "certification" verbiage.
5. Start with a Readiness Assessment. Not sure on where to begin if SOC 1 SSAE 18 Type 2 Compliance is being requested by customers and other parties - begin with a comprehensive and cost-effective SOC 1 SSAE 18 readiness assessment, one that covers all issues regarding an audit of this type. Crawling before you walk - as the old saying goes - is not a bad idea! Talk to the experts at NDNB Accountants & Consultants today. Learn more about