The Statement on Standards for Attestation Engagements (SSAE) No. 16, effectively replaced the former standard SAS 70 in 2010 as the authoritative guidance for reporting on controls at service organizations. Today, many service organizations have converted to the new standard and now have a SSAE 16 report, also referred to as a Service Organization Controls (SOC) 1 report.

This course provides an overview of SSAE 16 standards and the approach to compliance reporting on controls at service organizations as well as the responsibilities of those organizations being audited. We also discuss:

  • Outsourcing and risk
  • Terms and definitions
  • Why SAS 70 was replaced with SSAE 16, and the key differences between the two

You also learn about the three SOC reporting options and two types of reports, with emphasis on the SOC 1 report. Also covered:

  • Various sections of SOC 1
  • How to write a description of a service organizations control environment, as well as managements written assertion
  • How to derive value from the reports to evaluate service organizations services

Intro Video Transcript

When user organizations outsource business functions to a service provider, the risks of the service organization become risks of the user entities. Organizations that use service providers want to ensure the integrity and security of the system and company to which they are entrusting their data.  To get that assurance, user organizations are increasingly demanding that their service providers undergo an audit that ensures the effectiveness and reliability of their control environment. The result of such an audit, called a SSAE 16 examination, is the issuance of a Service Organization Control (SOC) report by a third party auditor.

 

Hi.  My name is Jennifer Eversole.  I am co-founder and partner at Management Stack.  We are a technology biased management consulting firm specializing in enterprise risk management.  I’m here today to talk to you about Service Organization Control, or SOC 1 Reports. 

By learning a little bit of history about SOC 1 reports and understanding its various components you will be able to not only understand but also gain value from one of these reports.  This is really important if you are evaluating a service organization to determine if you want to use their services.  And, if you are part of a service organization undergoing a SSAE 16 audit, having a detailed understanding of the history of service organization controls reporting and the various components of a SOC 1 report will make the examination process much easier, more efficient, and valuable to your company. Also, when we are finished you will have an understanding of how to write the sections of the report that are now required by management under SSAE 16, which is the guidance behind the issuance of a SOC report. 

We’ll start by talking about outsourcing and risk and why SSAE 16 replaced SAS 70.  We’ll discuss the differences between a SOC 1, SOC 2, and SOC 3 report so that you’ll have an understanding of which report should be used in which circumstances.  We will also talk about the difference between a Type 1 and Type 2 report.  Then finally, we’ll focus on SOC 1 report and discuss the sections that make up the report, including how to write a description of a service organization’s control environment and management’s written assertion

Learning Objectives
  • Differentiate between the three types of SOC reports
  • Name the components of a SOC 1 report
  • Compose a management assertion letter to include with the service auditor’s opinion
  • Effectively describe the service organization’s “system” 

 

 

Last updated/reviewed: May 14, 2022
30 Reviews (110 ratings)

Reviews

5
Anonymous Author
Great description of the SOC 1 report requirements & customary contents. Well-organized presentation with clearly-worded (albeit lackluster) slides, providing a good amount of detail without being overwhelming. The presenter was easy to understand and seemed to be very familiar with the topic. Although she was a bit monotone, my interest was held throughout and I gained knowledge that'll be very helpful in my job.
5
Member's Profile
It is pretty detailed and I leant a lot. I will recommend this to my colleagues. The exam and quiz are beneficial, but I will recommend that the exams are a little more, like having 30 questions. I also recommend that there are 5 questions quiz after each video to test the subject of that segment
4
Member's Profile
the course was straight forward and well laid out, the time allocated was productive. However, I would suggested well dictating, the presented can make more emphasis on topics and subtopics to allow learners follow through with making notes
5
Member's Profile
Excellent course. Within the short time the instructor has explained the SAS 60 and SSAE 16 standards and the juice of all types of SSAE reports. This truly demonstrated her skills and experience. Kudos!!!
5
Member's Profile
I really liked the careful breakdown and explanation of the various components of the different types of SOC reports. The speaker was very clear and organized in her presentation.
5
Anonymous Author
appreciated going through each SOC report type and levels of the report from opinion assertion description of controls and section five additional information.
5
Anonymous Author
Great overview of how we got from SAS70 (1992) to SSAE16 (2011) as well as the differences between Type I and type II exams and the 3 types of reports.
5
Member's Profile
I liked the course, the only problem I am having is if the two parts of the "understanding soc 1 reports" videos are the exact same video
Member's Profile
This is a giod course to provide users of Soc reports appropriate background detaild. Slides provided a great deal of content.
5
Member's Profile
Information provided in the instructor's comments was not necessarily included in the presentation materials.
2
Member's Profile
One of the presentation sections was not included, but rather a repeat presentation of the previous section.
4
Anonymous Author
very detailed explanation of SOC 1 reports. It was a little repetitive at times, but very informative
5
Anonymous Author
This course was a wonderful introduction to SOC 1 Reports. I indeed gained some valuable knowledge
4
Anonymous Author
It was an interesting course and explained about the SOC report and the various types quite well.
5
Anonymous Author
This is a refreshing course. Nothing surprised me. Beginners will learn a lot from this training.
5
Anonymous Author
Lots of information provided, very easy to follow, good break down of steps and sections.
4
Member's Profile
good information and pace from the presenter. relevant information regardig the topic
3
Anonymous Author
I think I would have gotten more out of this course by simply reading a script ....
4
Anonymous Author
This course was very helpful in understanding the components of a SOC 1 report.
5
Anonymous Author
Good course providing an overview of SOC reports. Slides were very useful.
4
Member's Profile
Interesting course with good descriptions of different components of SOC1
3
Member's Profile
Great overview of the history and need for service reports. Thank you!
5
Anonymous Author
SSAE 16 SOC 1 Guide for Service Organizations is an excellent course.
5
Anonymous Author
covers knowledge about the SOC1 report. great course!!
5
Member's Profile
Very thorough course with good real life references.
5
Anonymous Author
Easy to understand.
5
Member's Profile
Useful info!
4
Member's Profile
good course
4
Anonymous Author
Good
5
Member's Profile
Good
show all reviews
Prerequisites
Course Complexity: Advanced

Prerequisite: Overview of service organizations

 

Advanced Preparation: None

 

Education Provider Information
Company: Illumeo, Inc., 75 East Santa Clara St., Suite 1215, San Jose, CA 95113
Contact: For more information regarding this course, including complaint and cancellation policies, please contact our offices at (408) 400- 3993 or send an e-mail to .
Instructor for this course
  Course Overview CPE
Course Syllabus
INTRODUCTION AND OVERVIEW
  7:00PREVIEW: Introduction to SOC 1
Guide to SOC 1 Reports
  Outsourcing and Risk4:11
  SAS 70 to SSAE 166:59
  Understanding SOC 1 Reports26:08
  Understanding SOC 1 Reports (Continued)25:15
Conclusion
  Course Conclusion 4:03
CONTINUOUS PLAY
  SSAE 16 SOC 1 Guide for Service Organizations1:13:41
SUPPORTING MATERIALS
  Slides: SOC 1 ReportsPDF
  SOC 1 Reports Glossary/IndexPDF
  Table of ContentsPDF
REVIEW & TEST
  REVIEW QUESTIONSquiz
 FINAL EXAMexam