Color Scheme:

SOC Reporting and Attest Services

Some specific terms used in the document

1. User organization —The entity that has engaged a service organization
and whose financial statements are being audited

2. User auditor —The auditor who reports on the financial statements of the user organization

3. Service organization—The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system

4. Service auditor —The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements.

 SAS 70, SSSAE 18 Attest Services, SSAE16 Audit, SSAE 16 India , SSAE 16 report, AICPA SOC, SOC reports, SAS 70 Vs SSAE 16, SSAE16 Certification, SAS 70 Audit,  SOC 2 for Cloud Security

SSAE 18 and SOC Reporting?

Effective May 2017, the new service organization reporting standard is Statement on Standards for Attestation Engagements (SSAE) No. 18. supersedes the SSAE 16, and other SSAE, AT Standards. The earlier standard was Statement on Auditing Standards SAS 70 concerning the professional guidance on performing the service auditor's examination for Service Organizations. This was In line with the global standard called the International Standard on Assurance Engagements (ISAE) 3402 issued by the International Auditing and Assurance Standards Board (IAASB).

The new SSAE 18 standard is pronounced by the American institute of certified public accountant (AICPA) for use of all attest engagements including for a service organization. The SSAE 18 –SOC criteria are used to evaluate the internal control environment of a service organization as part of a financial statement audit of the user organization under AT-C 320. SOC now stands for “System and Organization Controls”. Formerly it was “Service Organization Controls”. The Service Auditor is to report on Controls implemented and/or operating effectively at the Service Organization.

The standard requires organizations to demonstrate controls in operations and its design to achieve objectives set forth. SOC report is attested by an Independent Auditor. The auditors are subjected to training, continuous professional education by the AICPA. Further, the engagements are subject to peer reviews periodically. The standard provides for two types of reporting Type 1 and Type II as covered in this document.

SOX-404 and PCOAB
Service organizations, as outsourcers and providers of services to public companies, are subject to the same level of scrutiny of their internal controls. Public companies cannot outsource their responsibility to examine the control environment and may be subject to fines/penalties for deficiency of effective controls over ICFR.

Bottom line:
Passing a SOC engagement is essential for compliance with regulatory requirements. But there’s more- Think beyond legalities. If you own a company that sells outsourced services (such as payroll services, data management, or claims processing) that can significantly affect the financial health of a user organization, getting a clean bill of health from a SOC engagement sends a strong signal of trustworthiness to your existing and prospective clients. This provides assurance that you have the controls and safeguards needed to preserve the security, availability process integrity or privacy of the information you manage. “Trust us with yours.”

Think of the SOC report as your company’s “Best Practices”. Now sit on the other side of the table. If you are a user organization and your company uses service providers , an SOC report provides a level of confidence that these service organizations, handling your most confidential and valuable information, have the procedures and controls in place to give you the required assurance that access controls for data are in place

 SAS 70, SSAE16 Audit, SSAE 16 India , SSAE 16 report, AICPA SOC, SOC reports, SAS 70 Vs SSAE 16, SSAE16 Certification, SAS 70 Audit,  SOC 2 for Cloud Security


SOC reporting is applicable to the audit of the financial statements of the user organization that obtains services from a service organization that are part of its information system. A service organization's services are part of the user organizations’ information system if they affect any of the following:

• The classes of transactions in the user organization’s operations that are significant to the user organization’s financial statements

•The procedures, both automated and manual, by which the user organization’s transactions are initiated, authorized, recorded, processed, and reported from their occurrence to their inclusion in the financial statements

• The related accounting records, whether electronic or manual, supporting information and specific accounts in the entity's financial statements involved in initiating, recording, processing and reporting the user organizations’ transactions.

•How the user organizations’ information system captures other events and conditions those are significant to the financial statements.

•The financial reporting process used to prepare the user organizations’ financial statements, including significant accounting estimates and disclosures.


Are you ready for SOC?

 SAS 70, SSAE16 Audit, SSAE 16 India , SSAE 16 report, AICPA SOC, SOC reports , SAS 70 Vs SSAE 16, SSAE16 Certification, SAS 70 Audit,  SOC 2 for Cloud Security

Knowing how much extra value and assurance a SOC report can deliver, many clients find that it makes sense to take steps to ensure a more successful outcome, including hiring experts who are skilled in helping companies be more thorough and thoughtful in how they approach their audits. Preparing for a SOC engagement is a matter of clear thinking and smart planning. Working with a consulting company such as ours helps you dig into areas such as incident response programs, change management processes and how vendors are monitored and managed in advance of the actual audit in order to identify and resolve questions and problems.

What is Type I report?

In a Type I engagement , the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to

(1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and

(2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date. A Type I report can be for either a SOC 1, or SOC 2 as explained below depending on the objectives of controls and services being provided.

What is Type II report?

In a Type II engagement , the service auditor will additionally express an opinion and report on the subject matter provided by the management of the service organization as to;

(3) whether the controls related to the control objectives or criteria stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives. A Type II report also can be for either a SOC 1, or SOC 2 as explained below depending on the objectives of controls and services being provided. .

SOC Comparison Type 1 SOC Type 2 SOC

Reports on Compliance

•Report is as of point in time (i.e., as of 12/31/200X)

• Looks at the design of controls – not operating effectiveness

• Limited use & considered for information purposes only

• Not considered useful for purposes of reliance by user auditors

• Not used as a basis for reducing the assessment of control risk below the maximum

• Generally performed in the first year that a service organization has a SOC requirement.

• Report covers a period of time, generally not less than 6 months and not more than 12 months

• Differentiating factor: Includes tests of operating effectiveness

• May provide the user auditor with a basis
for reducing assessment of control risk below maximum

• Requires more internal and external effort

• Identifies instances of non-compliance of the stated control activity

• More emphasis on evidential matter


Service Organization Controls (SOC) 1 or SOC 2 SOC 1 SOC 2

•Address Controls Related to User Entities’ Internal Control over Financial Reporting (“ICFR”). It is used by service organizations affecting financial reporting of user organizations.

E.g. payroll processors, claims processors.

• Reports for user auditor, management of user/service Organization.

• A SOC 2 report conveys trust and assurance to users of the system that the service organization has deployed an effective control system to effectively mitigate operational and compliance risks that the system may represent to its users.

• It addresses Service Organization Controls using Trust Services Criteria for service organizations to apply and report on controls that may affect users of their service. A SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Criteria, which are:

Security:The system is protected against unauthorized access (both physical and logical).

Availability: The system is available for operation and use as committed or agreed.
for reducing assessment of control risk below maximum

Processing integrity: System processing is complete, accurate, timely, and authorized.

Confidentiality: Information designated as confidential is protected as committed or agreed.

Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP).
E.g. managed service providers
Reports for Knowledgeable parties

Examples of organizations that may need SOC reports

• Software as a Service (SaaS) and Application Service Providers (ASP)
• Payroll Organizations
• Fulfilment and Mail Order Companies
• Third Party Administrators (TPA) for Health and Benefits, Property and Casualty and Self-funded and Cobra
•Taft Hartley Organizations
• Medical Claims Processors
• Medical Billing Applications
•Data Centres/Co-Location Centre’s
• Managed Services Centre’s
• Card Payment Industry Transaction Entities
• Market Research Firms
• Online Market Rebate Firms
• Lockbox & Payment Collection Entities
• Knowledge Management (KM) Systems
• Customer Relationship Management (CRM) software applications
• Sales and Use Tax Entities
• Local and State Tax Procurement and Processing Departments
• Call centers
• Mortgage Service and Payment Entities
• Business Process Outsourcing (BPO) Entities
• Insurance Organizations-Excess & Surplus Lines (E&S)
• Title Companies
• I.T. Managed Services Entities
• Skip Tracing Entities
• Customer Life Cycle Management Entities
• Medicare Part D Software and Consulting Firms

• Helps in building trust
• Differentiates service organization from peers
• Provides management insight into the effectiveness of controls and possible areas for improvement
• Provides an independent assurance
• Allows service organization to meet regulatory/contractual requirements
• Provides a level of comfort over control consciousness of the service organization and its services.

 SAS 70, SSAE16 Audit, SSAE 16 India , SSAE 16 report, AICPA SOC, SOC reports , SAS 70 Vs SSAE 16, SSAE16 Certification, SAS 70 Audit,  SOC 2 for Cloud Security

KEY STEPS IN SOC Engagement Process

SSAE 16  wiki, SSAE16, SAS 70, SSAE16 Mumbai India, SOC 1 type II, Soc 2 for cloud security type I and II

1. Planning and Readiness Assessment
• Define expectations and project roles.
• Preliminary interviews / questionnaires conducted to gain understanding of requirements.
• Client information request list prepared and distributed.
• Analysis of client-prepared information performed and client feedback provided.
• Project timeline (including estimates of client hours) / plan created and

• Modifications made based on client discussions.

2. Identification of Controls
• Control objectives and activities written through collaboration of our team and client management.
• Planned testing procedures submitted to client for each control activity.
• Discussion regarding content of introductory sections of SAS 70 report.Key Steps in SAS 70 Audit Proc

3. Testing of Controls / Fieldwork
• Kickoff meeting conducted with all stakeholders.
• Audit inquiries and walkthroughs performed by audit team to confirm understanding based on control objectives.
• Testing procedures finalized and reviewed by client personnel to determine feasibility.
• Audit team performs testing of each control activity to assess operating effectiveness during test period.
• Test results communicated and exceptions are resolved, if possible.
• Closing meeting conducted to finalize project results, timing of report issuance, and discuss management recommendations.

4. Reporting
• SOC report is drafted through inputs from both the audit team and client management.
• Engagement finalization tasks performed by audit team: final work paper review, draft report review, and any necessary modifications.

sas 70 audit standard, SSAE 16 Attest, SAS70, SAS 70 Reports, SSAE16 Reporting, SOC2 for Cloud Security, Web Trust, SysTrust, What is SSAe16, Plan for ssae 16, Soc 2 assurance for cloud
• Client approves final version, audit quality assurance performed, and report is issued.

5. Ongoing Support
• Participation in meetings/ answer questions of user organizations and their auditors
• Consultation with management regarding organizational or operational changes affecting SAS 70.

Typical Scope

The SOC report defines the standards used by a service auditor to assess the internal controls of a service organization. The control objectives and activities vary based on the scope of the SOC engagement and client operations. The relationship between the service organization and the user organizations must be viewed to help determine the controls that should be included in the engagement. In addition, the impact on the user organizations financial statements will also be the determining factor as to whether controls at the service organizations are in the scope of the project. The following outlines some categories for control activities that are included in the description of controls for many SOC reviews:

General Computer Controls

• Logical security ( passwords, 2 Factor etc)
• Physical and environmental security
• Network security (firewalls, intrusion prevention)
• Change management
• Data retention and storage
• Disaster recovery / business continuity
• System documentation

Application Controls

There are also application-specific control activities that will vary based on the client systems that have been implemented. For example, the system application(s) of a thirdparty payroll provider would normally be reviewed to understand the automated controls around transaction processing..

sas 70 certification , SSAE 16, SSAE 16 Attest, SSAE 16 for Data Center, SSAE 16 You tube, SAS 70 You tube, SOC2 assurance for Cloud, Cloud CSA STAR Attestation

Financial (“Back Office”) Controls

In many instances, the financial controls of the service organization affect the financial reporting (ICFR) of the user organization. This is a typical case for the SOC 1 engagement . The planning stage of the SOC engagement includes discussions with user organizations and analysis of operations to determine the financial controls (if any) that should be in scope for the engagement. Along with our testing of these control activities, we will also consider the overall control environment (organizational structure, ‘tone at the top’), how management assesses its risks, information and communication (how information is communicated and transferred throughout the company), and monitoring (how the effectiveness of internal controls is being assessed within the organization).

Why Us ?

We provide end to end process for SOC reporting engagements. With data moving into the Cloud and increased use of BIG DATA, Cloud Security and Privacy concerns are on the rise. We conduct integrated Cyber security engagements with privacy engagements. AICPA has developed the SOC reporting framework for privacy, which can help organizations to ascertain their level of maturity for privacy. With more stringent regulations like HIPAA, EU-GDPR and enforcement of these privacy issues are causing nightmares to organizations.

Some of the advantages of working with Us are:

 SAS 70, SSAE16 Audit, SSAE 16 USA ,India , SSAE 16 report, AICPA SOC, SOC reports , SAS 70 Vs SSAE 16, SSAE16 Certification, SAS 70 Audit,  SOC 2 for Cloud Security, CSA STAR Certification

 SAS 70, SSAE16 Audit, SSAE 16 India , SSAE 16 report, AICPA SOC, SOC reports , SAS 70 Vs SSAE 16, SSAE16 Certification, SAS 70 Audit,  SOC 2 for Cloud Security

sas 70, SAS 70 audit, SSAE16 Audit, SSAE16 Attest, Certify for SSAE16/ ISAE 3402 Soc 2 for cloud Download our SOC Reporting Services

SOC2 for Cloud, Cloud Compliance, Cloud Security, CSA STAR Attestation, SSAE16 Audit, SSAE16 Attest, Certify for SSAE16/ ISAE 3402Download our SOC 2 for Cloud Services

Privacy Audit, SOC 2 for HITRUST/HIPAA, HIPAA Privacy Attestation, SSAE16 HIPAA Audit, SSAE16 Privacy Attest, HIPPA Certify for SSAE16/ ISAE 3402 Soc 2 for cloud Download our SOC 2 for HITRUST/HIPAA Services

GDPR Audit, GDPR Readiness, GDPR Risk Asessment, AICPA SOC reporting for GDPR, GDPR for Cloud SecurityDownload our GDPR Readiness Services

sas 70, SAS 70 audit, SSAE16 Audit, SSAE16 Attest, Certify for SSAE16/ ISAE 3402 Soc 2 for cloud Download our SOC for Cyber Risk Services

Watch our you tube video on SOC reports for Cloud and Cyber Risks