About SOC 1 / SSAE 18
Governed by the AICPA (American Institute of Certified Public Accountants) standards, SOC (Service Organization Control) 1 reports allow your clients to be assured that the appropriate controls are in place in your environment that are relevant to your clients’ controls over financial reporting.
Previously, SAS 70 (Statement of Attestation Standards) was used to provide evidence that an organization had operational controls in place with regard to the financial reporting of their customers. However, as of 2011, SOC 1 / SSAE 16 (Standards of Attestation Engagements) superseded SAS 70.
As of May 1, 2017, any report opinion on or after that date will be issued under the SSAE 18 standard.
Remember that two types of SOC 1 reports exist:
Type I: Test of Control Design Effectiveness (As of a period of time)
Type II: Test of Control Operating Effectiveness (During a period of time)
Many times, clients call Type I the policies documentation and Type II the testing phase. Although this is accurate, Type I is more than that as several other audit artifacts are required outside of policies and procedures (e.g. Risk Assessment, Pen Testing etc.). Elevate helps you navigate through the difference and determine what is the best approach to achieve compliance.
What changed between SSAE 16 and SSAE 18?
The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust. SSAE 18 is requiring that service organizations implement processes that monitor the controls at subservice organizations. SSAE 18 provides the following control suggestions:
- Review and reconcile output reports
- Hold periodic discussions with the subservice organization
- Make regular site visits to the subservice organization
- Test controls at the subservice organization (key vendors that are part of the ecosystem for certification) by members of the service organization’s internal audit function
- Review Type I or Type II reports on the subservice organization’s system
- Monitor external communications, such as customer complaints relevant to the services by the subservice organization
Examples of information produced by a service organization that are commonly used by a service auditor include:
- Population lists used to select a sample of items for testing
- Lists of data that have specific characteristics
- Exception reports
- Transaction reconciliations
- Documentation that provides evidence of the operating effectiveness of controls, such as user access lists
- System-generated reports
- Other system-generated data