Tag Archives: ssae 16 report

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70 (or SSAE 16), complete with a Type I and Type II reports, but falls under the SSAE 18 guidance (as of May 1, 2017).
Please see the following articles discussing the SSAE 18 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:

Below is a history of key changes made to the audit standard over time to enhance the overall audit and final report.

Differences between SAS 70, SSAE 16 and ISAE 3042:

  1. Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:
    • The fairness of the presentation of the description of the service organization’s system;
    • The suitability of the design of the controls to achieve the related control objectives stated in the description; and
    • The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)
  2. During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

SSAE 18 adds an additional set of requirements to further enhance SSAE 16 standard:

  1. Requires the inclusion of a Complementary Subservice Organization Controls section (similar to what is currently required for SOC 2).
  2. Requires the performance of a detailed Risk Assessment based on the control objectives defined in the report.

Remember: Although the reporting standard is soon to be, SSAE 18, the SSAE 16 and ISAE 3204, are all still considered to be a SOC 1 Report!

The latest changes are meant to give the end user a clearer picture of their vendor’s subservice organizations and the responsibilities of the end user as well (Complementary User Entity Controls), which, will help to provide an all around higher level of assurance and understanding to all involved.

SOC 2 and SOC 3 – Additional Reporting Options

In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance.

  • SOC 2 Report – Trust Services Principles – The Service Organization Control (SOC) 2 Report will be performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 18)….read more
  • SOC 3 Report – WebTrust and SysTrust – The SOC 3 Report is also based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report is permitted to be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system)….read more

SOC 1 & SOC 2 Preparation Checklist

I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off the ground and on their way to completing their SOC 1/2 Report Type I or Type II. So, I will give you all a breakdown of some of the things organizations should be doing now, and some things to think about down the line as you progress.

This SOC Reporting Checklist is geared towards service organizations whom have never undergone a SAS 70, SSAE 16, etc. in the past and will be taking up the task this coming year. A more detailed version geared towards companies that have some experience being audited will be coming down the line.

  • Do your research.
    • You have already come across our site, so you have begun the process of researching SSAE 16 and the responsibilities that come with performing one. I would continue to search for SAS 70 related information as well, as most of that knowledge is applicable.
  • Find a few CPA firms who perform over 75 SOC Reports annually.
    • You will want to research a number of firms that could perform and sign off on your SOC Report, which, only CPA firms are permitted to do. This process should be handled with the utmost care as you are putting a lot of trust into the company you choose, they can make or break you.
    • Some things to consider:
        1. The size of your company – You may not be able to afford a large CPA firm.
        2. The clientele you are attracting – Some companies will not feel secure with the quality of your SSAE 16 if it was performed by a firm that isn’t well known.
        3. Total SOC 1 or SOC 2 reports performed – You do not want to use a company who has never done such work in the past, unless they are comprised of former employees of another quality firm and have decided to take off on their own.
        4. The methodology employed – You will want to quiz the companies and gain comfort around their methods and ensure you are comfortable with their responses and agree based upon your research.
  • Narrow your search.
    • Based upon how you felt about each company, the people, the methodology, their previous experience, and of course, cost,  you should narrow down your search to the top 2 companies.
    • Pricing for a SOC report can vary greatly depending upon the company performing the work, the size of your organization, and audit scope. On average, company’s should be expected to spend between $15,000-$30,000 for a Type II audit.
      • You should look for a fixed rate fee so there is no potential for them to raise rates on you as the project progresses.
  • Define the scope.
    • Once you have engaged a firm to perform the work, make sure you define the scope of the audit early on in the process. Not doing so could lead to excessive delays and potential cost overruns.
  • Define your control objectives and activities.
    • In conjunction with your CPA firm, define the controls and test steps to be tested and make sure that they have been reviewed by process owners and any of the stakeholders at the CPA firm who may be reviewing and/or signing off on the report to ensure everyone is in agreeance. If this isn’t completed prior to testing, you are asking for a world of trouble.
  • Perform a Readiness Assessment.
    • You can either choose to perform a readiness assessment on your own, based upon the test steps already defined, or, if you do not have the capacity or ability to do so internally, you can look towards either the firm performing your review or another firm who is skilled in preparing companies for audits.

These steps laid out here will set you on your way to getting your SSAE 16 started up and going and should help to guide you through the toughest parts of the process. Once you have completed all of the steps we have laid out, you should be able to rely on the knowledge of your CPA firm to take you through the finish line.

If you have any further questions please Contact Us!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 16 Type I Report Background Information

There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take.

While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs.

The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance:

a description of the service organization’s system prepared by management of the service organization.

– Management will need to prepare a description of the control objectives that are in place and being tested at their organization, as it relates to the process that is being reviewed for use by a User Organization. This will read sort of like a narrative of the process and how your control objectives tie in to each other and the process as a whole, giving a User Organization an overview of what and how, at a high level, their data will be handled.

a written assertion by the Service Organization’s management about whether, in all material respects, and based on suitable criteria:

1. the description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.
2. the controls related to the control objectives stated in the description were suitably designed to achieve those control objectives as of the specified date.

– Management will need to prepare a written assertion attesting to the fair presentation and design of controls. Previously under SAS 70, it was the auditors who reported directly on the controls and management was not required to attest to anything. (There will be a separate post describing this in detail as this is a major difference)
The final component:

a service auditor’s report that expresses an opinion on the matters in b1-2.

– The auditors that are hired to perform the testing will need to review the Management’s assessment of the design of controls and attest to the validity of Management’s opinion. The auditors will walk through the control objectives and control activities in place at your company and verify they are, in fact, designed as Management noted. This is where the auditors will obtain a sample of 1 to support each control activity and express the results of their testing.

Specifics of reporting details for a SSAE Type I will be discussed later on!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 18 (SSAE 16) Preparation Tips

This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins.

What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right.
What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately.

Many times people try to speed this process up and slack on it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs.

Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report.
We have seen issues like this cause delays in issuing of the report to the client and running additional fees, since adjusting controls isn’t free. Coming from the perspective of the auditor, we can let you know the pitfalls, consequences and how to best navigate the audit process. If you have any comments or questions please leave them below!