The phrase "SOC 1 SSAE 18 Type 2 compliant" is used quite a bit these days by businesses in marketing themselves as an entity that's undertaken the rigorous assessment process with regards to the well-known AICPA attestation standard - SSAE 18. But what does "SOC 1 SSAE 18 Type 2 Compliant" really mean - quite a bit - so NDNB, has provided the following list of helpful pieces of information and subject matter relating to Statement on Standards for Attestation Engagements (SSAE) No. 18.
1. The AICPA SOC Framework. SSAE 18 is actually the professional standard used for issuing SOC 1 reports in accordance with the American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework, which consists of SOC 1 (SSAE 18) along with SOC 2 and SOC 3 (AT 101) reporting. Additionally, the SSAE 18 standard effectively replaced the aging and antiquated SSAE 16 and SAS 70 auditing standards that had been in use for approximately twenty-five (25) years.
2. Define Scope. Different CPA firms have different methods for auditing service organizations when it comes to SOC 1 SSAE 18 Type 2 Compliant reporting, and that's because the SSAE 18 standard – unlike many other compliance initiatives (i.e. PCI DSS, HITRUST, etc.) is not "prescriptive" in nature. More specifically, it only comes with a lightly enforced framework, one that's open to wide interpretations from auditors, service organizations, and other interested parties. To be fair, it's to the advantage of the industry as a whole as service organizations can be radically different entities with completely different operational environments from one to the other. As a result, the SSASE 18 standard has to be flexible and adaptive, not prescriptive.
3. It's an Annual Commitment. While we will stop short of calling it an annual "requirement", customers and other intended users of SOC 1 SSAE 18 Type 2 reports will come to expect - and demand - such reporting on an annual basis. The "one and done" approach unfortunately does not work in today's world of growing regulatory compliance mandates.
4. There is NO Certification. I repeat, this is NOT a certification, a seal or any other type of designated certificate - it does not work that way. Specifically, SOC 1 SSAE 18 Type 2 Compliant essentially means that a service organization has undergone attest procedures in accordance with the AICPA professional standard, resulting in the issuance of a service auditor's report. The phrase "SOC 1 SSAE 18 Type 2 Compliant" - is a better statement than that of the incorrect "certification" verbiage.
5. Start with a Readiness Assessment. Not sure on where to begin if SOC 1 SSAE 18 Type 2 Compliance is being requested by customers and other parties - begin with a comprehensive and cost-effective SOC 1 SSAE 18 readiness assessment, one that covers all issues regarding an audit of this type. Crawling before you walk - as the old saying goes - is not a bad idea! Talk to the experts at NDNB Accountants & Consultants today. Learn more about
SOC 1 SSAE 18 Type 2 reports are common practice in today’s world of regulatory compliance as organizations continue to outsource critical services to other organizations, effectively known as “service organizations”. Considering outsourcing to a third-party, or perhaps your organization has been asked to undertake SOC 1 SSAE 18 Type 1 and/or Type 2 reporting compliance - if so - take note of the following important points, brought to you by NDNB.
1. Understand the SOC framework and SSAE 18. After years of faithful service, the longstanding SAS 70 auditing standard - along with SSAE 16 - were finally put to rest, effectively replaced by the American Institute of Certified Public Accountants’ (AICPA) Service Organization Control (SOC) reporting framework, consisting of the following: SOC 1 SSAE 18, SOC 2 AT 101, and SOC 3 AT101. Three (3) different reporting options for helping meet the needs of today’s growing, expanding, and complex service organizations, many of which rely heavily on information technology. As for SOC 1 SSAE 18 and SOC 2 AT 101 reporting, service organization can opt for Type 1 and/or Type 2 reports. The SOC framework was long overdue and its now being actively embraced by many involved in service organization reporting.
3. Readiness Assessments. Crawling before you walk is not a bad suggestion, so it’s a good idea to engage with a CPA firm in conducting an actual SOC 1 SSAE 18 Type 2 report Readiness Assessment – a proactive and useful engagement for helping unearth any necessary areas for remediation. Because most companies are very good at what they do, but often lack in the area of documentation, readiness assessments often find gaps with operational and information security documents, which can be time-consuming and taxing to write, but they’re a must when it comes to SOC 1 SSAE 18 reporting.
4. Two notable reporting requirements. For SOC 1 SSAE 18 Type 2 reporting, it's important to note that management of the service organization has two (2) distinct deliverables: (1). Providing a description of its "system", along with a written statement of assertion. Both are fairly straightforward, yet actually authoring the description of one's "system" can be a fairly time-consuming process as it's looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. As for management's written statement of assertion, a competent, well-qualified CPA firm can provide a template.
5. Welcome to regulatory compliance. Generally speaking, once you've performed your initial SOC 1 SSAE 18 Type 2 report, clients, regulators - and all other intended parties - will continue to expect (and demand) annual compliance, so keep this in mind.
SOC 1 (SSAE 18) Type 2 compliance audits are being performed on a large and ever-growing number of service organizations as the AICPA standard has become - much like the historical SAS 70 and SSAE 16 auditing standards were for 25 years - the de facto third-party internal control reporting framework. Many service organizations are new to SOC 1 (SSAE 18), being pushed into the world of regulatory compliance from demanding customers along with regulators wanting to inquire about a company’s internal controls. With that said, it’s important to take note of the following 5 items regarding SOC 1 (SSAE 18) compliance audits, brought to you by NDNB.
1. The AICPA SOC framework. The American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework consists of SOC 1, SOC 2, and SOC 3 reporting, for which SSAE 18 is the professional standard used for SOC 1 reporting purposes. Hence, service organizations can receive a SOC 1 Type 1 and/or a SOC 1 Type 2 report. Long gone are the "one-size-fits-all" SAS 70 and SSAE 16 audit approach, effectively replaced by reporting options that reflect today's complex technology driven business landscape. For an ounce of clarity, just remember that SSAE 18 is the professional standard for SOC 1, while AT 101 is the professional standard used for SOC 2 and SOC 3 reporting. A competent, well-qualified CPA firm, such as NDNB can help clarify and answer any questions regarding SOC reporting.
2. Description of the “system”. For SOC 1 (SSAE 18) Type 2 compliance (and for Type 1 reporting also), management of the service organization is to develop a description of its “system”, which is the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The description should adequately illustrate many of the service organization’s daily operational procedures, information security safeguards and controls, along with other important measures. NDNB - a nationally recognized CPA firm, can assist in helping service organizations develop their description of its “system”.
3. Written Statement of Assertion by management. Along with the description of its “system”, SOC 1 (SSAE 18) Type 2 compliance requires management of the service organization to provide the service auditor (i.e., the CPA performing the actual engagement) with a written statement of assertion whereby management effectively asserts to a number of clauses and provisions. This is a new component of the AICPA SOC framework, yet it’s relatively straightforward and many examples can be found online. Additionally, speaking with a competent, well-qualified IR CPA firm, such as NDNB, is a good place to start.
4. SOC 1 (SSAE 18) vs. SOC 2 AT 101. Because SOC 1 SSAE 18 reporting is “technically” geared towards service organizations having a credible nexus with the ICFR concept - internal control over financial reporting - technology companies may want to look at SOC 2 reporting. SOC 2 and SOC 3 reporting are an ideal fit for many of today’s technology oriented service organizations as the Trust Services Principles (TSP) generally help better illustrate control environments for data centers, managed services providers, software as a service (SaaS) organizations, etc. Though SOC 1 SSAE 18 Type 2 reporting is considered the more well-known platform, SOC 2 deserves merit also. Learn more about the SOC 1 vs. SOC 2 debate.
There are numerous SOC 1 SSAE 18 Type 2 audit requirements for compliance that service organizations should be aware of for helping ensure an efficient, transparent and cost-effective process, from beginning to end. Ever since the SSAE 18 standard replaced the SSAE 16 auditing standard (for reports dated on or after May 1, 2017), service organizations have been working hard to conform with the new requirements - which, to be fair - are not too terribly taxing. Sure, there’s a number of administrative changes brought about by SSAE 16, ultimately requiring service organization to have a strong understanding of the following:
1. SAS 70 and SSAE 16 reports are no longer being issued. For approximately twenty-five years (April 1992 - April, 2017), the SAS 70 and SSAE 16 auditing standards were the global de facto compliance platforms for reporting on controls at service organizations, but much has changed in the business world (most notably, the advancement of technology), resulting in major changes for third-party internal control reporting.
2. AICPA SOC Framework. Say goodbye to SAS 70 and SSAE 16 and hello to the AICPA System and Organization Controls (SOC) reporting framework, which offers three (3) reporting options for service organizations: SOC 1 SSAE 18 | SOC 2 AT 101 | SOC 3 AT 101.
3. Description of its “system”. SOC 1 SSAE 18 also requires management of the service organization to develop a description of its “system”, which is essentially the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. A well-qualified, IR CPA firm can assist service organizations in better planning and writing an actual description of one’s “system”.
4. Written statement of assertion by management. Along with the description of its “system”, SOC 1 SSAE 18 also requires that management of the service organization provide a written statement of assertion - a statement whereby by management effectively asserts to a number of critical clauses and provisions relating to the actual SSAE 16 assessment. This is a new requirement when compared to the historical SAS 70 auditing standard, for which a competent, experienced IR CPA firm can assist you in developing the written statement of assertion.
SOC 1 SSAE 18 audit preparation, when done correctly, is an extremely proactive and beneficial process for helping service organization in planning, preparing executing, and successfully completing a SOC 1 SSAE 18 engagement. Many entities are new to the entire SOC 1 SSAE 18 reporting landscape, requiring direction and guidance on a number of important issues, such as finding an auditor, conducting a readiness assessment, identifying gaps and weaknesses, just to name a few notable items. With that said, take note of the following brief SOC 1 SSAE 18 audit preparation list of items compiled by NDNB, a nationally recognized IR CPA Firm specializing in SOC 1 SSAE 18 and SOC 2, SOC 3 AT 101 SysTrust | WebTrust reporting:
Begin with an SSAE 16 Readiness Assessment - This process alone is one of the most fundamentally important steps an organization can take, thus look at it as a useful and proactive undertaking for ensuring you’re actually ready for a SOC 1 SSAE 18 Type 1 or Type 2 assessment. A SOC 1 SSAE 18 Readiness Assessment – when conducted properly – should provide valuable information regarding audit scope, (i.e., systems being tested, physical locations to visit, the number of control objectives, etc.), remediation items (i.e., areas of deficiency, from an operational and technical perspective, such as policies and procedures, etc.), audit sampling and deliverables expected for the CPA firm conducting the engagement, and more.
Moreover, if your organization is to completely new to the SOC 1 SSAE 18 process, then a Readiness Assessment is a must. High-quality CPA firms – those with years of regulatory compliance reporting – often include the cost of a SOC 1 SSAE 18 Readiness Assessment into their overall fixed-fee pricing model, so be sure to inquire about such services.
Remediate Technical Constraints – Real SOC 1 SSAE 18 audit preparation means finding areas of remediation, along with actually following through with remediation efforts themselves, such as re-configuring system parameters for one’s SOC 1 SSAE 18 control objectives and related tests. Because most SOC 1 SSAE 18 assessments focus on what’s known as “general Information Technology (I.T.) controls, remediation efforts are commonly seen in provisioning and hardening computer systems, such as removing default settings, insecure services, etc. Remember, auditors will want to see evidence of one’s remediation efforts for technical issues, so roll up those sleeves and get to work. It can be challenging, but it’s necessary, not only for SOC 1 SSAE 18 ompliance, but many other mandates, such as PCI, HIPAA, etc.
Remediate Operational Areas – SOC 1 SSAE 18 audit preparation also entails remediation that’s not just technical in nature - it also requires comprehensive measure for correcting many operational deficiencies, such as strengthening best practices as necessary.
Work With Your Auditors – Remember something very important - your SOC 1 SSAE 18 auditor is there to help assist and facilitate compliance, not be an adversarial roadblock in the overall process. Though they still have to be “independent” in judgment and objective in their findings, they still have a vested interest in issuing a “clean” SOC 1 SSAE 18 opinion. This means being upfront, open, and transparent at all times with the entire audit process, no matter what the issue is.
The more proactive and open you are, the less likely confrontations, constraints, and issues will arise. Talk about audit scope, remediation, testing concerns - whatever’s relevant to the SOC 1 SSAE 18 assessment - and work it out. Call Christopher Nickell, CPA, today at 1-800-277-5415, ext. 706 to receive a competitive, fixed fee for all your SOC 1 SSAE 18, SOC 2 AT 101, and SOC 3 SysTrust | WebTrust needs. NDNB Also provides PCI DSS reporting (onsite audits), and numerous other compliance services.
SOC 1 SSAE 18 audit frequency is a common topic in today's growing world of regulatory compliance, as more and more organizations are being required to undertake SOC 1 SSAE 18 Type 1 and/or Type 2 reporting. Sure, they can be a taxing and expensive proposition, which always prompts the question, "how often do I have to do a SOC 1 SSAE 18 Typpe or Type 2 assessment". Generally speaking, once you've welcomed yourself to the world of regulatory compliance, your customers are going to expect an annual SOC 1 SSAE 18 assessment from you.
It's an Annual Commitment
That's right, once a year is the norm - after all - a SOC 1 SSAE 18 assessment that becomes historically old and "stale" is of little or no value for intended users of such a report. Just stop and think about how much can change in one (1) full calendar year for a company - new business lines, changes in operations - the list can go on and on. It's the prime reason why SOC 1 SSAE 18 audit frequency is generally an annual commitment. Sure, this can be quite a challenge for service organizations – both financially and operationally – but the pricing for these types of engagements has come down considerably with the numerous CPA firms competing for your business.
Even with that said, working with your CPA firm on an annual basis regarding audit preparation, planning, and other related activities should help ease the operational and financial costs to some degree. Just remember to choose a well-skilled, proven firm, one with years of experience performing SOC 1, SOC 2, and SOC 3 engagements. Additionally, if you would like to learn more about SOC 1 SSAE 18, please visit the official SOC Report Resource Guide at socreports.com, developed exclusively by NDNB, a nationally recognized IR CPA firm specializing in SOC 1, SOC 2, and SOC 3 compliance.