Why am I Being Asked About SSAE 16, and What do I Need to Know to Talk Intelligently?
SOC 1 (formerly SSAE 16) is the most commonly used means of third-party attestation. Have you been asked about a SOC 1 audit? Are you interested in learning more about how you can ensure SOC 1 compliance? The following webinar provides an informative overview of the SOC 1 framework along with SOC 2, HIPAA, PCI, and FISMA.
What Does a SOC 1 Audit Include?
SOC 1 is an audit and report on audit controls. It is performed by a certified CPA and is customized based on the services provided by an entity. Because a SOC 1 audit is based on risk, any objective and control that is relevant to an entity’s risk would be included in the audit report. For example:
- Controls impacting your client’s financial security
- Information security
- Regulatory compliance
- Contractual requirements
During a SOC 1 audit, an auditor’s job is to determine whether you do what you say you do. The SOC 1 audit will examine the controls that you have in place and if your organization is following through with them. The auditor will also determine if what you say you do is reasonable or not: does the auditor agree that the controls are good controls and are effectively designed to accomplish what you said your organization is accomplishing?
What is the Difference Between SOC 1 Type I and Type II Audits?
The primary difference between SOC 1 Type I and Type II audits is the audit period. A SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. The main difference is that a SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time, whereas a SOC 1 Type II report is an attestation of controls at a service organization over a minimum six-month period. The SOC 1 Type I reports on the description of controls provided by management of the service organization and attests that the controls are suitably designed and implemented. The SOC 1 Type II reports on the description of controls provided by management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.
To learn more about SOC 1 audits and other audit frameworks, download the full webinar. For more information about SOC 1 assessments and how KirkpatrickPrice can help you meet your compliance objectives, contact us today.