SSAE 16 (SOC 1) - formerly SAS 70

Effective for all reporting periods ending after June 15, 2011, SSAE 16 (commonly referred to now as SOC 1) is the replacement reporting standard for SAS 70. Like SAS 70, SOC 1 continues to focus on the controls performed at a service organization that may be relevant to the internal controls over financial reporting for user organizations.

A SOC 1 must be carefully planned by the service organization and should ideally be scoped through a process of communications with the user organization and its auditor. The organization being audited must prepare a written assertion and a description of the system, control objectives and activities. The auditor then examines the service organization's assertion over the description as it relates to the objectives and the business, and indicates whether the:

• Auditor believes the system description is fairly stated.
• Controls are suitably designed to achieve the control objectives that the organization has stated.
• Controls have been placed in operation (as opposed to existing only on paper).
• Controls are operating effectively (in a Type 2 engagement).

SOC 1 Service Auditor’s Reports

• Type 1 – Includes the service organization's description of controls and the auditor's opinion about whether the control design is suitable for achieving those objectives as of a specified point in time.
• Type 2 – Includes the Type 1 information as well as a control test plan and an evaluation of whether the tested controls operated with sufficient effectiveness to provide reasonable assurance on meeting the control objectives achieved during a specified time period (minimum of 6 months).

Type 2 Engagement Phases

• Phase 1 – Evaluate internal controls at the entity and application levels, including organizational and administrative controls as part of the control environment. This phase focuses on the control structure design as defined by the five components of COSO and IT general computer controls. In addition, Weaver reviews the general and application controls. The basis for the control structure is the strength of the design of the organizational general and application controls.
• Phase 2 – Review, test and evaluate the operating effectiveness of the internal control structure at the process, transaction and application level by performing tests of identified controls.
• Phase 3 – Issue an independent service auditor’s report.

SOC 1 GAP Assessment
A gap assessment involves evaluating the design of the controls currently in place at the entity and process levels to determine if corrective action is needed. The purpose is to provide management with a preview of what the results of a SOC 1 audit might look like. 
 
Gap assessments can be conducted in various ways. For example, we can customize the approach by identifying the key risks along with the procedures and controls in place to address those risks.  Alternatively, we can make assumptions about key risks and evaluate them against expected control activities.  We recommend a hybrid of these two approaches to help ensure that the fee is contained, yet the procedures remain robust enough to allow for refinement of our understanding of the entity’s procedures and activities. 
 
The gap assessment allows for identification of the scope, control objectives, controls and relative maturity of processes to determine the level of readiness for a SOC 1 report engagement. We typically recommend that management only consider omitting the gap assessment phase if the outcome of the SOC 1 report is less important than the timing of the report’s delivery. If management elects to do a gap assessment, this work must be performed prior to the audit period.