Service Organization Control (SOC) 1 reports are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 has essentially replaced the aging and historical SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Much like SAS 70, SSAE 16 provides two (2) reporting options; Type 1 a service organization's system and the suitability of the design of controls", while an SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
While the SAS 70 audit standard became highly misused – ultimately straying from its original intent – the new SSAE 16 SOC 1 standard has been developed specifically for service organizations showing a true relationship with the ICFR concept – Internal Controls over Financial Reporting. More specifically, SSAE 16 Type 1 and Type 2 reports under the SOC 1 reporting framework represent a sincere effort by the AICPA to utilize this new attestation standard in the very manner for which the original SAS 70 standard was designed for, which is “reporting on controls” related to that of financial matters.
To learn more about SSAE 16 and the AICPA SOC framework, visit the official SSAE 16 Resource Guide, developed exclusively by NDB Accountants & Consultants, LLP (NDB), which provides important information on the following topics:
- Introduction to SSAE 16
- Why a New Standard?
- Responsibilities and Requirements for SSAE 16 SOC 1 assessments.
- Description of the Service Organization's "system" for SSAE 16 SOC 1 compliance.
- The Written Assertion by Management.
As for some good advice regarding SSAE 16 SOC 1 compliance, remember the following:
1. Conduct a Readiness Assessment: You’ll need to know what – if any – areas within one’s control environment require remediation prior to beginning an actual SSAE 16 SOC 1 audit. After all, walking straight into an assessment with little or no preparation is a recipe for disaster as every entity has something that requires fixing or correcting before the audit commences. Is it really a good idea to walk straight into an SSAE 16 SOC 1 assessment without doing any type of preliminary work, such as identifying scope, control issues, and more? No, it’s not, so talk to the experts today at NDB about performing a brief, cost-effective, and highly beneficial SSAE 16 SOC 1 readiness assessment today.
2. Expect to Remediate Issues: No company has a picture perfect control environment – nobody – so you can truly expect some form of remediation to take place, such as developing policies and procedures, implementing system configuration changes, etc. The degree and depth of remediation really depends on the maturity of one’s control environment. Luckily, NDB provides policy templates and other supporting documents for helping get through remediation quickly.
3. Assess ICFR and Scope: If you’re undertaking SSAE 16 SOC 1 compliance, then it’s vital to assess the “Internal Controls over Financial Reporting” criteria. Specifically, is your organization performing essential services for clients that can impact their financial reporting – and if so – have you determined how to assess and test for compliance with regards to SSAE 16 SOC 1 reporting? Working with a well-qualified, proven CPA firm can get you the answers you quickly need, so call and speak with CPA Christopher Nickell at 1-800-277-5415, ext. 706 or email him at email@example.com today.
4. Documentation is Essential: That’s right, when we say “documentation”, we’re talking about information security policies and procedures – the massive amount of internal materials needed to suffice for a large part of the audit. Sure, SSAE 16 SOC 1 is a financially driven audit – technically speaking – yet the amount of policies and supporting materials that must be in place can be overwhelming. It’s why NDB offers a SOC 1 Policy Packet to our clients consisting of dozens of templates and hundreds of pages.
5. Compliance is an Annual Commitment: Once you being the process of SSAE 16 SOC 1 compliance, you can fully expect annual compliance reporting to be the norm, it’s the new world of regulatory compliance we live in. And it’s also why finding and working with a qualified CPA firm with years of compliance expertise just makes sense. You can lock in a long-term price contract, gain familiarity with their auditing processes, ultimately building confidence in your internal control environment.
Let’s not forget that the SOC 2 reporting framework has gained considerable recognition in just a few short years, so visit the official SOC 2 Resource Guide, also developed exclusively by NDB, for learning more about SOC 2 Type 1 and SOC 2 Type 2 assessments. NDB has years of experience performing a wide variety of regulatory compliance reports, so talk to the experts today in obtaining a competitively priced, fixed fee for all your SOC 2 needs. Call and speak directly with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, along with emailing him at firstname.lastname@example.org today.
6. Lastly – and for an ounce of clarity – just remember the following: (1). SSAE 16 SOC 1 reporting is financially driven – specifically – companies offering services that can impact a client’s financials perform these types of audit. (2). The SOC 2 reporting standard is highly applicable for technology service organizations – SaaS and cloud computing, etc.
SSAE 16 SOC 1 Experts | Talk to NDB
As one of North America’s leading provider of SSAE 16 SOC 1 – and SOC 2 audits – NDB has the depth, experience, and audit “know-how” for helping businesses succeed in today’s world of regulatory compliance – and we do it all. From helping develop policies and procedures to performing the actual assessments, NDB is with you every step of the way.