The Statement on Standards for Attestation Engagements (SSAE) No. 16, effectively replaced the former standard SAS 70 in 2010 as the authoritative guidance for reporting on controls at service organizations. Today, many service organizations have converted to the new standard and now have a SSAE 16 report, also referred to as a Service Organization Controls (SOC) 1 report.
This course provides an overview of SSAE 16 standards and the approach to compliance reporting on controls at service organizations as well as the responsibilities of those organizations being audited. We also discuss:
- Outsourcing and risk
- Terms and definitions
- Why SAS 70 was replaced with SSAE 16, and the key differences between the two
You also learn about the three SOC reporting options and two types of reports, with emphasis on the SOC 1 report. Also covered:
- Various sections of SOC 1
- How to write a description of a service organizations control environment, as well as managements written assertion
- How to derive value from the reports to evaluate service organizations services
Intro Video Transcript
When user organizations outsource business functions to a service provider, the risks of the service organization become risks of the user entities. Organizations that use service providers want to ensure the integrity and security of the system and company to which they are entrusting their data. To get that assurance, user organizations are increasingly demanding that their service providers undergo an audit that ensures the effectiveness and reliability of their control environment. The result of such an audit, called a SSAE 16 examination, is the issuance of a Service Organization Control (SOC) report by a third party auditor.
Hi. My name is Jennifer Eversole. I am co-founder and partner at Management Stack. We are a technology biased management consulting firm specializing in enterprise risk management. I’m here today to talk to you about Service Organization Control, or SOC 1 Reports.
By learning a little bit of history about SOC 1 reports and understanding its various components you will be able to not only understand but also gain value from one of these reports. This is really important if you are evaluating a service organization to determine if you want to use their services. And, if you are part of a service organization undergoing a SSAE 16 audit, having a detailed understanding of the history of service organization controls reporting and the various components of a SOC 1 report will make the examination process much easier, more efficient, and valuable to your company. Also, when we are finished you will have an understanding of how to write the sections of the report that are now required by management under SSAE 16, which is the guidance behind the issuance of a SOC report.
We’ll start by talking about outsourcing and risk and why SSAE 16 replaced SAS 70. We’ll discuss the differences between a SOC 1, SOC 2, and SOC 3 report so that you’ll have an understanding of which report should be used in which circumstances. We will also talk about the difference between a Type 1 and Type 2 report. Then finally, we’ll focus on SOC 1 report and discuss the sections that make up the report, including how to write a description of a service organization’s control environment and management’s written assertion
Learning Objectives
- Differentiate between the three types of SOC reports
- Name the components of a SOC 1 report
- Compose a management assertion letter to include with the service auditor’s opinion
- Effectively describe the service organization’s “system”
30 Reviews (110 ratings)
Prerequisites
Prerequisite: Overview of service organizations
Advanced Preparation: None
Education Provider Information
