SOC 1 (Formerly SAS 70)
A SOC 1 report results from an engagement under the relatively new Statement on Standards for Attestation Engagements, SSAE 16 – Reporting on Controls at a Service Organization. SSAE 16 examines internal controls at a service organization that impact a user entity’s controls over financial reporting. This report is to be used only by auditors of user organizations and the management of user entities. SSAE 16 requires the same level of evidence and assurance expected under the former SAS 70 service auditor engagement. It essentially fills the role of a SAS 70 report as it was originally intended. Like the outdated SAS 70 reports they replaced, SOC 1 reports are available in a Type 1 and a Type 2 report.
The key differences between a SOC 1 report (prepared in accordance with the SSAE 16 standard) and a SAS 70 report are as follows.
Written Assertion by Management – Management is now required to provide a written assertion in the SSAE 16 report supporting their system’s description. This assertion must include the suitable criteria used for management’s assessment.
Subservice Organizations – If a service organization uses a subservice organization and uses the inclusive reporting method, the subservice organization is also required to provide a written assertion similar to management’s assertion report as well as a letter or representation.
More Inclusive Description of the Service Organization’s System – SSAE 16 calls for a more comprehensive description of a service organization’s system. In addition to the controls description, it must also include a description of the services provided and classes of transaction processed; a description of the procedures by which services are provided, including transaction initiation, authorization, recording, processing and correction; a description of the process for capturing and addressing other significant events and conditions; and a description of the process for preparing reports and providing information to customers. It should also include other aspects of the COSO2 internal control framework relevant to the user entities and any changes that occur during the audit period.
Clear Identification of Risks that Threaten the Achievement of Stated Control Objectives – In the SSAE 16 report, service organizations must identify the risks that threaten the achievement of the control objectives and evaluate if the described controls would provide reasonable assurance that those risks would not prevent the control objectives from being achieved.