<div id="Tag">Our SOC 1<sup>®</sup> and SOC 2<sup>®</sup> Attestations are Easier and More Affordable Than You May Think...</div>

SSAE 16 Examination (formerly SAS 70) / Service Organization Control 1 (SOC 1) Report

If your company (the ‘Service Organization’) performs outsourced services that are relevant to internal controls over the financial reporting of another company (the ‘User Organization’), your company will more than likely be asked to provide an SSAE 16 report, especially if the User Organization is publicly traded. ‘Services that are relevant to internal controls over financial reporting’ can range from providing access controls over financial data to recording or manipulating financial data for the User Organization.

The AICPA Auditing Standards Board has replaced the Statement on Auditing Standards No. 70 (SAS 70) by issuing Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization. The effective date for SSAE 16 is for Service Organization reports with periods ending on or after June 15, 2011. This new standard is more in line with the global standard of International Standards for Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization.

The primary purpose of an SSAE 16 report (also referred to as a SOC 1) is to provide User Organizations and their financial statement auditors with an understanding of the services being provided and a Service Auditor’s opinion as to whether the description of the system of controls is fairly presented, the controls are suitably designed and in the case of a “Type 2” report, whether the controls were operating effectively over a specified period of time.

For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516

More Info

Types of Reports

The SSAE 16 SOC 1 report is an internal controls report on the services provided by a Service Organization, the report provides valuable information that users need to assess the risks associated with an outsourced service. There are two different “Types” of examinations that can be conducted under the SSAE 16 standard. The specifics of these examinations/reports are as follows:

Type 1 Report

  • Internal controls report that examines management’s description of the system to determine if the presentation of the system fairly represents the design and implementation of the Service Organization’s system as of the specified date.
  • The control objectives stated in management’s description of the system were suitably designed to achieve those control objectives as of the specified date.
  • Obtaining the Type 1 report is a great place to start for a company that has not been audited under the SAS 70 or SSAE 16 standard; this type of examination will enable the Service Organization to define their system of controls and ensure that controls were implemented as of the specified date. There is no requirement for a Service Organization to graduate to a Type 2 report from the Type 1 report; the Service Organization can obtain a Type 1 report year after year. The frequency and type of report is driven by the needs of your customers.

Type 2 Report

  • Internal controls report that examines management’s description of the system to determine if the presentation of the system fairly represents the design and implementation of the Service Organization’s system throughout the specified period.
  • The control objectives stated in management’s description of the system were suitably designed to achieve those control objectives throughout the specified period.
  • The control objectives stated in management’s description of the system operated effectively throughout the specified period to achieve those control objectives.
  • Most Service Organizations obtain a SSAE 16 Type 2 certification annually but the specified period that is audited is usually only the last six months. The frequency and type of report is driven by the needs of your customers.

Areas of Examination

The controls audited in the SSAE 16 can vary depending on industry and the controls directly managed by the Service Organization.? The areas of our examination (scope of the audit) are based on COSO and CobiT frameworks that are currently some of the most widely used and accepted frameworks in the regulatory governance environment.

  • Control Environment – The organization’s controls that influence the control consciousness of its personnel are examined. This includes examining the organization’s structure, how information is communicated within the organization and human resource policies and procedures.
  • Physical Security – The organization’s controls that physical access to the business premises and information systems are limited to properly authorized individuals are examined.
  • Environmental Security – The organization’s controls that protect the facility, information systems and data from environmental threats are examined.
  • Computer Operations (Backups and Storage) – The organization’s controls that system data is regularly backed up, rotated or vaulted offsite and archived data is available for restoration in the event of processing error or unexpected interruptions are examined.
  • Computer Operations (System Availability) – The organization’s controls that production systems are designed, maintained and monitored to ensure system availability are examined.
  • Application Change Control – The organization’s controls that application software is developed to effectively support application reporting requirements and that changes are authorized and tested prior to production migration are examined.
  • Information Security – The organization’s controls that logical access to critical systems and data is restricted to authorized individuals are examined.
  • Data Communications – The organization’s controls that data maintains its integrity and security as it is transmitted between third parties and the service organization are examined.

Time and Expense

Not every SSAE 16 audit has the same requirements. Each company can vary depending on the type of services they perform for their customers. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied.

  • The typical audit for the first year will require 4 to 6 weeks of resources to complete a SSAE 16 audit, 1 to 2 of those weeks we will be onsite to conduct the site visit.
  • During the audit process you will have a dedicated Compliance Specialist available to answer questions and the owner is involved throughout the process.
  • Call a Compliance Specialist at Roosa CPA, LLC (877) 410-8516 today for a free quote.