SOC 1: SSAE 16 – Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
SSAE 16 (SOC 1) examinations assess controls at service organizations that are relevant to user entities’ (i.e. customers) internal control over financial reporting. Statement on Standards for Attestation Engagements (SSAE) No. 16 superseded the SAS 70 audit standard on June 15, 2011. The primary purpose of an SSAE 16 report is to provide customers and their financial statement auditors with an understanding of the services being provided and a CPA firm’s opinion as to whether the description is fairly presented, the controls are suitably designed, and in the case of a “Type 2” report, whether the controls were operating effectively over a specified period of time.
SOC 1 Readiness Assessment
Determine preparedness for an SSAE 16 examination through a formal gap analysis process.
Type 1 SSAE 16 (SOC 1) Examinations
In a Type I report the auditor provides independent third-party verification as to whether control activities described by a service organization are appropriately designed to meet specified control objectives and whether the controls were placed in operation as of a particular date. Obtain a service auditor’s report that expresses an opinion on whether:
- management’s description of the service organization’s system fairly presents the service organization’s system (“the system”) that was designed and implemented as of a specified date; and
- the controls related to the control objectives stated in management’s description of the system were suitably designed to achieve those control objectives as of the specified date.
Type 2 SSAE 16 (SOC 1) Examinations
Type 2 SSAE 16 audits provide independent third party verification as to whether control activities described by a service organization are suitably designed to meet specified control objectives, and whether these controls were in place and operating effectively over a period of time, typically between six (6) and twelve (12) months. Obtain a service auditor’s report that expresses an opinion on whether:
- management’s description of the service organization’s system fairly presents the system that was designed and implemented throughout the specified period;
- the controls related to the control objectives stated in management’s description of the system were suitably designed throughout the specified period to achieve those control objectives; and
- the controls related to the control objectives stated in management’s description of the system operated effectively throughout the specified period to achieve those control objectives.
Who Must be Compliant?
A SSAE 16 is a voluntary compliance audit typically undertaken by outsourced service organizations that impact the control environment of their customers. Examples of service organizations include insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.
What does it cost to be compliant?
The cost of a SSAE 16 is dependent on the scope of the audit, the size of your organization, complexity of the processing, and maturity of the controls, to name but a few factors. First time audits typically cost more. Depending on the audit scope and complexity.
What are the requirements?
The service organization, not the auditor, is responsible for describing the controls and control objectives that are disclosed in the SSAE 16 report. While there are no set rules on the controls that should be included in a SSAE 16, the quality of the audit report is often dependant on the appropriateness of the control objectives and the testing procedures. The auditor may provide guidance and recommendations. A SSAE 16 (SOC 1) typically covers the following processes: control environment, risk assessment processes, control activities, information and communication, and monitoring processes. The auditor typically evaluates and tests the following type of controls: application development, configuration management, change management, telecommunication network, logical access, physical access, data retention and transmission, application, and input and output process controls.
How can we help?
In today´s global economy, IT service organizations and service providers must demonstrate that they have adequate controls and safeguards when they host or process customer´s data. The AICPA´s Statement on Standards for Attestation Engagements (SSAE) No. 16 is widely recognized as “the standard” for assessing internal controls of third party service organizations. Since 2002 the requirements of Section 404 of the Sarbanes-Oxley Act make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organizations.
True Holdings, Inc. helps clients prepare for the SSAE 16 audit and reduce both the time and expense associated with testing. By laying a solid foundation the audit can proceed with the least number of unknowns.
Our approach ensures:
- Your employees understand the context and requirements of a SSAE 16 (SOC 1) audit
- Control processes and procedures are properly documented
- A comprehensive risk assessment is completed
- Controls weaknesses are preemptively remediated and recommendations for improvements are identified and communicated
- Testing is completed with minimal interruption to the organization
- There are no surprises when your SSAE 16 (SOC 1) testing is completed
Contact us to learn more.