A background on SSAE 16 SOC 1 compliance ultimately requires an understanding and introduction to the AICPA Service Organization Control (SOC) framework and the concept of ICFR; Internal Controls over Financial Reporting. SSAE 16 – short for Statement on Standards for Attestation Engagements number 16, effectively replaced the antiquated and often misused historical SAS 70 auditing standard. Now’s the time for you to develop a clearer and more wide-ranging sense of what, exactly, SSAE 16 is and requires. There are two important points you should be aware of as you navigate the challenging new landscape of SOC compliance in the SSAE 16 era. First, SSAE 16 is part of the AICPA SOC framework, and, second, SSAE 16 assessments are performed on service organizations exhibiting a true and credible nexus to the ICFR concept.
Getting Familiar with the AICPA SOC Framework
What is the SOC framework? With so many service organizations appearing on the financial market with various requirements for reporting, the American Institute of Certified Public Accountants (often known by its acronym, AICPA) engineered a wide-ranging platform called Service Organization Control reports, or SOC for short. This all-encompassing platform is comprised of three different kinds of reports, known as SOC 1, SOC 2, and SOC 3, respectively. Each of these offer service organizations a powerful and – most importantly, flexible – tool for describing the numerous factors at play in creating the economic landscape around their organization. This is a vast improvement on the SAS 70 auditing standard, with was often accused of applying a uniform approach to service organization reporting on controls without the capacity to reflect or respond to a service organization's individual needs and situation.
Now, this problem is all but solved, as the emergence of the AICPA SSAE 16 standard becomes the main professional standard available for issuing all SOC 1 reports. Getting to know the details of the SSAE 16 standard may be difficult for those service organizations used to using the now defunct SAS 70 auditing protocols – which were almost universally applied – but the benefits of utilizing SSAE 16 far outweigh the challenges.
Here are a few important terms to familiarize yourself with:
- SOC 1 Reporting is used to issue SSAE 16 Type 1 or Type 2 Reports.
- SOC 2 Reporting: Uses the AICPA AT Section 101 Professional Standard and can be used to generate either Type 1 or Type 2 reports.
- SOC 3 Reporting makes use of the SysTrust/Webtrust set of assurance services (aka “Trust Services”) which serve as a vast umbrella term for a number of criteria and requirements jointly developed by the CICA and AICPA.
Understanding SSAE 16 and the ICFR Concept
One of the most vital parts of an SSAE 16 assessment contain “control objective(s)” which are able to reflect and report a service organization's internal control over financial reporting, a term more often understood by its popular acronym, ICFR. What that means, in layman's terms, for you as a service organization, is that if you’re providing services that can impact a client’s financial reporting, then you’ll need to assess your ICFR related controls. If you're not sure of the answer or have difficulty supplying documentary evidence to support your response, you might consider opting for SOC 2 or SOC 3 reporting instead, if you find that the SSAE 16 SOC 1 standard is not an appropriate fit. To be clear, some user organizations and companies making use of an auditor might be unsure of their status and erroneously request SSAE 16 SOC 1 compliance despite not having direct applicability to ICFR.
SSAE 16 SOC 1 - It's About Impacting Financial Reporting for YOUR Customers
When you're looking at the extent to which ICFR functions are covered and recorded by the user organization, you should start by looking at whether there's any financial data the service organization has provided directly that can also be found – in number or data form – on the user organization's financial statements. Make sure you know whether your service organization is providing any specific services that would have any influence on a) any kind of record-keeping, including accounting entries or even estimations of a user organization or b) any power to authorize transactions, such as the recognition of revenue, capital expenditures, or expense scheduling, as well as c) any physical possession of any elements, whether liability or asset, that could be found on a user's financials. The reports we're discussing, SSAE 16, are designed as a conversation between auditor and auditor about what ICFR functions are already in place (that's what Type 1 is for) and their operating effectiveness (Type 2) at measuring and managing audit risk as well as detection risk: information that is useful not only to external auditors but also for auditors working at or in the user organization.
By and large, the ideal companies to undertake SSAE 16 SOC 1 compliance are those such as TPAs (Third Party Administrators, payroll processors, registered investment advisors (RIA), or actuarial/trust services. What's important is that you're able to recognize a strong bond between the ICFR concept and the SOC 1 reporting framework.
Example of SSAE 16 and ICFR Applicability
To use one example: in a given service organization (let's say, a payroll processor), various calculations derived from user input are used to determine things such as payroll taxes, expenses, accrued payroll, accrued vacation deferral, qualified and non-qualified deferred plan accruals, and similar estimates and calculations about future financial activity that will have an impact on the financial statements of the user organizations they represent. This is an ideal example of ICFR, as the service organization administers direct control over the statements of the firm using its services. Call and speak directly with Christopher G. Nickell, CPA, at email@example.com or at 1-800-277-5415, ext. 706 to learn more about SOC 1 SSAE 16 reporting and to receive a competitive, fixed-fee.