SSAE 16 (SOC 1) Audits - “The Cliff Notes Version”

Share Article

Since the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure, there has been a constant request for more information and interpretation. SSAE 16 Professionals, LLP has released a “Cliff Notes” version of the SSAE 16 (SOC 1) audit process.

Delivering SSAE 16 Type I and Type II Reports

SSAE 16 Professionals, LLP

Since the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure, there has been a constant request for more information and interpretation. SSAE 16 (SOC 1), also known as Statements on Standards for Attestation Engagements No. 16 is better known throughout service organizations as SSAE 16 and the successor to SAS 70. Like anything relatively new there are plenty of questions and opportunity for clarifications. In a competitive business environment, service organizations within various industries are constantly looking for a competitive advantage. A successful SSAE 16 (SOC 1) audit is a proven vehicle to achieve this competitive advantage.    

A Brief Background of SSAE 16 (SOC 1) Audits
SSAE 16 (SOC 1) replaced an aging SAS 70 and is here to stay. Rapid changes within service organizations facilitated the evolution to SSAE 16 where controls and related assertions need to be based on relevant internal control over financial reporting (ICFR). This has led service organizations to restructure their control objectives and acquire formal certification to satisfy and comply with the newly evolved standards.

For service organizations today, SSAE 16 calls for a description of its “system”. This basically describes the policies and procedures in place, along with personnel and operational functions with consideration to services provided that are relevant to current and future user entities. This is far more detailed and comprehensive than SAS 70’s description of “controls”. Also, unlike SAS 70’s perceived “one size fits all” approach, the new AICPA SOC framework now provides for multiple SSAE 16 reporting options. Service organizations can now choose between SSAE 16 (SOC 1), SOC 2 audits, and SOC 3 audits. Consultation with an experienced CPA firm can assist in deciding which report, or reports, best supports the service organizations objectives.

Understanding the Basics of SSAE 16 (SOC 1)
There are many reasons to undergo the SSAE 16 (SOC 1) audit. With a corporate objective to best position their organization for continued growth, client confidence, and the ability to serve a broader range of clients, the SSAE 16 (SOC 1) audit fully supports this objective with a proven and very strong return on investment (ROI). The first step towards undergoing the SSAE 16 (SOC 1) requires the service organization to identify what services and controls are in place which can impact the ICFR’s for clients that utilize their services. This is a rigorous process that is dedicated to the achievement and recognition that the services meet a minimum set of standards as identified and evaluated in the service auditor’s report.    

As with past SAS 70 reports, both SSAE 16 (SOC 1) Type I and SSAE 16 (SOC 1) Type II reports can be issued depending on the specific requirements and objectives of the service organization. Both report types add value and credibility to a service organization’s core activities with the following differences:

  • Type I is a report on policies and procedures placed in operation as of a specified “point in time”. SSAE 16 Type I reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a “specific date”.
  • Type II is a report on policies and procedures placed in operation and tests of operating effectiveness for a “period of time”.
  • Type II reports include the examination and confirmation steps involved in a Type I examination plus includes an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months. Most user organizations require their service provider to undergo the Type II level examination for the greater level of assurance and reporting detail it provides.

About SSAE 16 Professionals, LLP
SSAE 16 Professionals, LLP is a leading provider that specializes solely in SSAE 16 readiness reviews, SSAE 16 Type I Reports, SSAE 16 Type II Reports, and other IT audit and compliance reports. Each of our professionals has over 10 years of relevant experience at “Big 4” and other large international or regional accounting firms. Each professional is certified as a CPA (Certified Public Accountant), CISA (Certified Information Systems Auditor), CIA (Certified Internal Auditor), CISSP (Certified Information Systems Security Professional), CRISC (Certified in Risk and Information Systems Control) and/or MBA (Master of Business Administration). For more information, please visit http://ssae16professionals.com/.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jim Jimenez - Managing Partner
Visit website