SSAE 18

SSAE 18 / SOC 1 Type 1 Report – Background Information

A SSAE 18 / SOC 1 Type I Report shows Company’s that your Organization has appropriate controls designed and in place as of the date the report is issued. It does not provide assurance that controls are executed consistently, which, is the purpose of the Type 2 report and what most Company’s are hoping to see when asking for evidence of a SOC report.

So, while, the Type II is preferred, the Type I report is an important step in the right direction for an Organization who has never undergone an audit and looking to show they are serious about compliance.

A Type I Report is specifically defined by the SSAE 18 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your Company’s controls by examining a sample of 1 item per control, review of policy, or through inquiry. This provides a user organization with some comfort that your company (the service organization) has controls in place (but not evidence of operating effectiveness). This can be useful when trying to obtain a contract to show good faith to potential user organizations or to maintain current contracts when Customers may have updated compliance requirements they must meet.

The SSAE 18 Type I report has 3 sections which include Management’s Assertion, the Auditor’s Opinion, and the System Description of the service offerings under review and corresponding control objectives and activities.

Why Perform an SSAE 18 (SOC 1 or SOC 2 Report)?

Some organizations have heard of SAS 70, SSAE 16, and now SSAE 18, but, haven’t seen the value, other than because one of their customer require it. Truth is, that’s a large part of the value, as many companies will not even think about outsourcing functions to a Company who does not have a clean SOC 1 or SOC 2 Type II Report in place, especially since Vendor Management reviews are now required.

Some benefits of having a SOC report in place include:

  • Ability to perform outsourcing services for Public Companies.
    • If performing financially significant duties for a Public Company, they are required to use a a provider with a valid SSAE 18/SOC 1 in place to give investors assurance over controls that are performed by the outsourcing Company.
  • Public and Private companies are more likely to trust your organization with their data.
    • Beyond any compliance requirements, if you were to trust a company with your data, you would want assurance it will be handled with the utmost care.
  • A year round accessible knowledge source (your auditors).
    • As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce questions and concerns off of a group of trusted individuals who know your business.
  • A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
    • Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve and help ensure everything functions well the following period.
  • Improving performance of the organization.
    • Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.
Think of the SSAE-18 audit as an annual investment into your company, increasing potential new clients, productivity and accountability.

The SSAE16 Auditing Standard

SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.

SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

The soon to be effective, SSAE-18, is expected to follow a similar reporting structure to the SSAE-16 within a SOC 1 report.

Who Needs an SSAE 16 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

What you Need to Know:

Before starting the SSAE 16 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE16, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 16, for a more detailed ‘checklist’ – please see The SSAE 16 Checklist

You may have heard SSAE-18 is on the horizon for reports issued as of May 1, 2017. There are some important updates discussed in here: SSAE-18 – An Update to SSAE-16.

As the standard is formalized and the date approaches we will continue to provide more information to help you prepare for these changes.

SOC 1 & SOC 2 Preparation Checklist

I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SOC 1/2 Report Type I or Type II. So, I will give you all a breakdown of some of the things organizations should be doing now, and some things to think about down the line as you progress.

This SOC Reporting Checklist is geared towards service organizations whom have never undergone a SAS 70, SSAE 16, etc. in the past and will be taking up the task this coming year. A more detailed version geared towards companies that have some experience being audited will be coming down the line.

  • Do your research.
    • You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable.
  • Find a few CPA firms who perform over 75 SOC Reports annually.
    • You will want to research a number of firms that could perform and sign off on your SOC Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.
    • Some things to consider:
        1. The size of your company – You may not be able to afford a large CPA firm.
        2. The clientele you are attracting – Some companies will not feel secure with the quality of your SSAE 16 if it was performed by a firm that isn’t well known.
        3. Total SOC 1 or SOC 2 reports performed – You do not want to use a company who has never done such work in the past, unless they are comprised of former employees of another quality firm and have decided to take off on their own.
        4. The methodology employed – You will want to quiz the companies and gain comfort around their methods and ensure you are comfortable with their responses and agree based upon your research.
  • Narrow your search.
    • Based upon how you felt about each company, the people, the methodology, their previous experience, and of course, cost,  you should narrow down your search to the top 2 companies.
    • Pricing for a SOC report can vary greatly depending upon the company performing the work, the size of your organization, and audit scope. On average, company’s should be expected to spend between $15,000-$30,000 for a Type II audit.
      • You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.
  • Define the scope.
    • Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process. Not doing so could lead to excessive delays and potential cost overruns.
  • Define your control objectives and activities.
    • In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreeance. If this isn’t completed prior to testing, you are asking for a world of trouble.
  • Perform a Readiness Assessment.
    • You can either choose to perform a readiness assessment on your own, based upon the test steps already defined, or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another firm who is skilled in preparing companies for audits.

These steps laid out here will set you on your way to getting your SSAE 16 started up and going and should help to guide you through the toughest parts of the process. Once you have completed all of the steps we have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.

If you have any further questions please Contact Us!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.