SSAE Report Frequently Asked Questions

SSAE 16 and SSAE 18 Audits bring tons of questions. In this section we hope to answer some questions we frequently come across during our calls and client interactions.

SSAE-18 (5)

When is SSAE-18 Effective

SSAE-18 will be effective for all reports issued after May 1, 2017.

Permalink.

Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.

Permalink.

How many updates to SOC 1 have their been?

SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report (but issued under the SSAE 16 guidance) and effective as of June 2011. SSAE 18 was then issued May 2017 and will be effective as of December 2018, and apply to all SOC 1 reports issued thereafter.

Permalink.

What is SSAE 18 (formerly SSAE 16)?

The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.

Permalink.

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Permalink.

View category→

SOC 1 (5)

How many updates to SOC 1 have their been?

SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report (but issued under the SSAE 16 guidance) and effective as of June 2011. SSAE 18 was then issued May 2017 and will be effective as of December 2018, and apply to all SOC 1 reports issued thereafter.

Permalink.

How long does a SOC 1 take to complete?

This depends on how prepared and how many resources an Organization has to dedicate to the project. The first time through, usually a readiness assessment would be performed, and then a SOC 1 Type 1, and take anywhere from 2 to 3 months. However, there are situations where it may take 6 to 12 months should an Organization not have the resources or sufficient priority assigned.

A Type 2 report takes about 2 months to complete, but, it may take a little longer during the first audit and become more efficient every year thereafter.

Permalink.

SOC 1 or HITRUST?

The SOC 1 has a completely different purpose than HITRUST. Typically a company would perform both if they are a TPA processing medical claims and other claims, where, there is responsibility for financial reporting and maintaining security over the information being handled.

Permalink.

How much does a SOC 1 Type 1 cost?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an additional $5,000 to $10,000 USD depending on the level of assistance required and project scope.

Permalink.

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Permalink.

View category→

SOC 2 (4)

What is a SOC 2?

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report can cover the design (type 1 report) or operating effectiveness (type 2 report) of controls around a Company’s system over any number of categories, including, Security, Availability, Confidentiality, Processing Integrity, and/or Privacy.

See our more detailed SOC 2 Report page for more information.

Permalink.

We have a SOC 2. How much effort is GDPR?

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation of the related latest SOC 2 updates, which is good. However, if you are not currently including Privacy in your SOC 2, and do not have a strong privacy program in place, there will be a moderate level of short term effort required.

It should take approximately 2 to 3 months in collaboration with your Auditor to perform a readiness assessment of the specific GDPR requirements and implement said updates for most Company’s.

The upside of being required to implement GDPR is that there would be minimal effort to include Privacy and references to any unique GDPR requirements within future SOC 2 reports.

Permalink.

We have a small company, how do we segregate Board of Directors from Management, and then, also the Internal Audit function?

Depending on the size of your Company, you could look to another small business owner in a similar situation or trusted advisor to sit on each others board’s and create the necessary segregation. As always, consult with your auditor before taking any structural changes.

Permalink.

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Permalink.

View category→

SOC 2 Plus (1)

We have a SOC 2. How much effort is GDPR?

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation of the related latest SOC 2 updates, which is good. However, if you are not currently including Privacy in your SOC 2, and do not have a strong privacy program in place, there will be a moderate level of short term effort required.

It should take approximately 2 to 3 months in collaboration with your Auditor to perform a readiness assessment of the specific GDPR requirements and implement said updates for most Company’s.

The upside of being required to implement GDPR is that there would be minimal effort to include Privacy and references to any unique GDPR requirements within future SOC 2 reports.

Permalink.

View category→

Definitions (2)

What are Criteria?

Criteria are the various factors that provide a frame of reference to be evaluated by a practitioner. Without having defined criteria, any conclusion is open to individual interpretation and misunderstanding.

Permalink.

What are considered suitable audit Criteria?

Suitable criteria exhibit all of the following characteristics:

  • Relevance. Criteria are relevant to the subject matter.
  • Objectivity. Criteria are free from bias.
  • Measurability. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
  • Completeness. Criteria are complete when subject matter prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter.

The relative importance of each characteristic to a particular engagement is a matter of professional judgment.

Permalink.

View category→

Comments are closed.