SSAE 16 Type II compliance audits are being performed on a large and ever-growing number of service organizations as the AICPA standard has become - much like the historical SAS 70 auditing standard was for 20 years - the de facto third-party internal control reporting framework. Many service organizations are new to SSAE 16, being pushed into the world of regulatory compliance from demanding customers along with regulators wanting to inquire about a company’s internal controls. With that said, it’s important to take note of the following 5 items regarding SSAE 16 Type II compliance audits, brought to you by NDB Accountants & Consultants (NDB).
1. The AICPA SOC framework. The American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework consists of SOC 1, SOC 2, and SOC 3 reporting, for which SSAE 16 is the professional standard used for SOC 1 reporting purposes. Hence, service organizations can receive a SOC 1 Type 1 and/or a SOC 1 Type 2 report. Long gone is the "one-size-fits-all" SAS 70 audit approach, effectively replaced by reporting options that reflect today's complex technology driven business landscape. For an ounce of clarity, just remember that SSAE 16 is the professional standard for SOC 1, while AT 101 is the professional standard used for SOC 2 and SOC 3 reporting. A competent, well-qualified CPA firm, such as NDB Accountants & Consultants (NDB) can help clarify and answer any questions regarding SOC reporting.
2. Description of the “system”. For SSAE 16 Type II compliance (and for Type I reporting also), management of the service organization is to develop a description of its “system”, which is the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The description should adequately illustrate many of the service organization’s daily operational procedures, information security safeguards and controls, along with other important measures. NDB Accountants & Consultants (NDB) - a nationally recognized CPA firm, can assist in helping service organizations develop their description of its “system”.
3. Written Statement of Assertion by management. Along with the description of its “system”, SSAE 16 Type II compliance requires management of the service organization to provide the service auditor (i.e., the CPA performing the actual engagement) with a written statement of assertion whereby management effectively asserts to a number of clauses and provisions. This is a new component of the AICPA SOC framework, yet it’s relatively straightforward and many examples can be found online. Additionally, speaking with a competent, well-qualified PCAOB CPA firm, such as NDB, is a good place to start. Service organizations should spend time learning more about the written statement of assertion, so visit the official SSAE 16 Resource Guide today.
4. Policies and Procedures. One of the more challenging and time consuming tasks relating to SSAE 16 Type II compliance - or for any of the SOC reporting frameworks - are policies and procedures. From operational policy documentation to essential information security policies, they’re a must-have for compliance. Most organizations have disjointed, antiquated documents, those that have been relegated to the proverbial “shelf ware” status on a lonely hard drive or dusty old file cabinet. Getting them updated, current and relevant can be a huge task, so beware. Your best bet is to find a quality provider of policy and procedure templates and get busy overhauling them immediately. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
5. SOC 1 SSAE 16 vs. SOC 2 AT 101. Because SOC 1 SSAE 16 reporting is “technically” geared towards service organizations having a credible nexus with the ICFR concept - internal control over financial reporting - technology companies may want to look at SOC 2 reporting. SOC 2 and SOC 3 reporting are an ideal fit for many of today’s technology oriented service organizations as the Trust Services Principles (TSP) generally help better illustrate control environments for data centers, managed services providers, software as a service (SaaS) organizations, etc. Though SOC 1 SSAE 16 Type II reporting is considered the more well-known platform, SOC 2 deserves merit also. Learn more about the SOC 1 vs. SOC 2 debate.
Call Christopher G. Nickell, CPA, to receive a competitive, fixed-fee for SOC 1 SSAE 16 and SOC 2, SOC 3 compliance. He can be reached at 1-800-277-5415 - ext. 706.