Instructor for this course

The Statement on Standards for Attestation Engagements (SSAE) No. 16, effectively replaced the former standard SAS 70 in 2010 as the authoritative guidance for reporting on controls at service organizations. Today, many service organizations have converted to the new standard and now have a SSAE 16 report, also referred to as a Service Organization Controls (SOC) 1 report.

This course provides an overview of SSAE 16 standards and the approach to compliance reporting on controls at service organizations as well as the responsibilities of those organizations being audited. We also discuss:

  • Outsourcing and risk
  • Terms and definitions
  • Why SAS 70 was replaced with SSAE 16, and the key differences between the two

You also learn about the three SOC reporting options and two types of reports, with emphasis on the SOC 1 report. Also covered:

  • Various sections of SOC 1
  • How to write a description of a service organizations control environment, as well as managements written assertion
  • How to derive value from the reports to evaluate service organizations services

Intro Video Transcript

When user organizations outsource business functions to a service provider, the risks of the service organization become risks of the user entities. Organizations that use service providers want to ensure the integrity and security of the system and company to which they are entrusting their data.  To get that assurance, user organizations are increasingly demanding that their service providers undergo an audit that ensures the effectiveness and reliability of their control environment. The result of such an audit, called a SSAE 16 examination, is the issuance of a Service Organization Control (SOC) report by a third party auditor.


Hi.  My name is Jennifer Eversole.  I am co-founder and partner at Management Stack.  We are a technology biased management consulting firm specializing in enterprise risk management.  I’m here today to talk to you about Service Organization Control, or SOC 1 Reports. 

By learning a little bit of history about SOC 1 reports and understanding its various components you will be able to not only understand but also gain value from one of these reports.  This is really important if you are evaluating a service organization to determine if you want to use their services.  And, if you are part of a service organization undergoing a SSAE 16 audit, having a detailed understanding of the history of service organization controls reporting and the various components of a SOC 1 report will make the examination process much easier, more efficient, and valuable to your company. Also, when we are finished you will have an understanding of how to write the sections of the report that are now required by management under SSAE 16, which is the guidance behind the issuance of a SOC report. 

We’ll start by talking about outsourcing and risk and why SSAE 16 replaced SAS 70.  We’ll discuss the differences between a SOC 1, SOC 2, and SOC 3 report so that you’ll have an understanding of which report should be used in which circumstances.  We will also talk about the difference between a Type 1 and Type 2 report.  Then finally, we’ll focus on SOC 1 report and discuss the sections that make up the report, including how to write a description of a service organization’s control environment and management’s written assertion

Learning Objectives

  • Differentiate between the three types of SOC reports
  • Name the components of a SOC 1 report
  • Compose a management assertion letter to include with the service auditor’s opinion
  • Effectively describe the service organization’s “system” 



13 Reviews (45 ratings)Reviews

Anonymous Author
Great description of the SOC 1 report requirements & customary contents. Well-organized presentation with clearly-worded (albeit lackluster) slides, providing a good amount of detail without being overwhelming. The presenter was easy to understand and seemed to be very familiar with the topic. Although she was a bit monotone, my interest was held throughout and I gained knowledge that'll be very helpful in my job.
Member's Profile
I really liked the careful breakdown and explanation of the various components of the different types of SOC reports. The speaker was very clear and organized in her presentation.
Anonymous Author
Great overview of how we got from SAS70 (1992) to SSAE16 (2011) as well as the differences between Type I and type II exams and the 3 types of reports.
Member's Profile
I liked the course, the only problem I am having is if the two parts of the "understanding soc 1 reports" videos are the exact same video
Member's Profile
This is a giod course to provide users of Soc reports appropriate background detaild. Slides provided a great deal of content.
Anonymous Author
I think I would have gotten more out of this course by simply reading a script ....
Anonymous Author
This course was very helpful in understanding the components of a SOC 1 report.
Member's Profile
Interesting course with good descriptions of different components of SOC1
Anonymous Author
Easy to understand.
Member's Profile
Useful info!
Member's Profile
good course
Anonymous Author
Member's Profile


Course Complexity: Advanced

Prerequisite: Overview of service organizations


Advanced Preparation: None


Education Provider Information

Illumeo, Inc., 75 East Santa Clara St., Suite 1215, San Jose, CA 95113
For more information regarding this course, including complaint and cancellation policies, please contact our offices at (408) 400- 3993 or send an e-mail to .
Course Syllabus
Guide to SOC 1 Reports
  4:11Outsourcing and Risk
  6:59SAS 70 to SSAE 16
  26:08Understanding SOC 1 Reports
  25:15Understanding SOC 1 Reports (Continued)
  4:03Course Conclusion
  1:13:41SSAE 16 SOC 1 Guide for Service Organizations
  PDFTable of Contents
  PDFSlides: SOC 1 Reports
  PDFSOC 1 Reports Glossary/Index