SOC 1 (SSAE 18) Examinations FAQ

What is SSAE 18?

Why did it change from SAS 70 to SSAE 18?

Are there new requirements for SSAE 18?

What are the new reporting requirements for SSAE 18 compared to SAS 70?

What SSAE 18 System of Description require?

What are the requirements for the management assertion letter for SSAE 18 / SOC 1 audit reports?

How does my company prepare for a SSAE 18 audit?

How much does a SSAE 18 audit cost?

How much time is required from the company’s staff to complete a SSAE 18 audit?

How long does it take to complete a SSAE 18 audit

How Frequently do I need to undergo a SSAE 18 audit

Do I need a SSAE 18 Type I or Type I audit

What is the difference between a SSAE 18 Type I and Type II audit?

What is the composition of a SSAE 18 audit reports?

1.   What is SSAE 18?

Statement on Standards for Attestation Engagements No. 16 (SSAE 18) is also known as the Service Organization Controls Report #1 (SOC 1).  SSAE 18 / SOC 1 reports were formerly known as a SAS 70 report which is auditor report for service organizations outsource information systems that have an impact on their clients' financial reporting.  To simplify it, if you are a service organization and you handle information for your clients that can have an impact on their financial reporting you may be requested to obtain this form of an audit report.

2.  Why did it change from SAS 70 to SSAE 18?

There are a number of reasons why this report changed, but most importantly it was driven from the Auditing Standards Board and American Institute of Certified Public Accounts that determine evaluating an organization controls of their system was not an audit of financial statements.  Therefore, SSAE 18 was formed to develop a better alignment for the type of audit SAS 70 was originally set of to accomplish.

3. Are there new requirements for SSAE 18?

Yes, there are a few new requirements, but this does not directly impact how organizations have to operate on a day to day basis.  The new requirements of SSAE 18 impact the reporting requirements and do NOT require new procedures to be implemented by an organization.

4.    What are the new reporting requirements for SSAE 18 compared to SAS 70?

In the SAS 70 audit, your report included an opinion letter, description of controls and test of operating effectiveness (for a Type II report).  The SSAE 18 audit requires an opinion letter, assertion statement from management (new requirement for SSAE 18), a description of your system (previously just a description of controls) and tests of operating effectiveness.  The assertion statement is new and the description of controls in SAS 70 changes to a description of your system.

Also, in the SSAE 18 Type II audit, your auditor is now required to ensure that your design of controls was in place throughout your audit period.  Previously SAS 70 only required the auditor to validate the design of controls as of the last day of the audit period. 

5.    What SSAE 18 System of Description require?

The System Description requirement for SSAE 18 Type I and II audits requires that a company provide a description of their system that adequately reflects the services under review.  The following also must be met when preparing the system description:

i.  Presents fairly the ‘system’ used for processing transactions for user entities and includes all relevant information. (Your auditor can advise if the system description is inadequate, but ultimately management is responsible for the final system description for your SSAE 18 / SOC 1 audit report.)

i.i. Relevant changes for the period are included. (If significant changes occur to your 'system' description this should be included in the SSAE 18 audit report).

6.    What are the requirements for the management assertion letter for SSAE 18 / SOC 1 audit reports?

  • Now that management is required to provide an assertion statement for the SSAE 18 audit, one of the service organization’s additional responsibilities related to this assertion is that management must have a reasonable basis to support its assertion. It will be prudent of management to ensure that their statement is accurate and they have covered all necessary procedures in order to mitigate the risk of asserting inaccurate information.  This is why management needs to perform the necessary procedures in accordance with SSAE 18 to form a basis for their assertion statement.

Basis for Assertion (See Appendix A for references to the Standard)

  • Management needs to have a formalized and documented monitoring process in order to support their assertion statement.  Example of monitoring activities includes:
    1. Monitoring activities may provide evidence (assesses effectiveness over time)
    2. Can be ongoing monitoring or separate evaluations, or combination of the two
    3. Could include Internal Audit or ongoing monitoring of information provided by external parties (regulators, customers, etc.)
    4. Consider risks to achieving objectives and how management would identify failures
  • Management should perform an annual risk assessment:
    1. Formal or informal process for evaluating risks and likelihood of achieving the control objectives
    2. Assists with the evaluation of controls and assessing management’s process and basis for assertion

7. How does my company prepare for a SSAE 18 audit?

Many organizations that are going through a SSAE 18 audit for the first time are overwhelmed or just may not have the time to research and implement the proper internal controls and processes that are normally evaluated during a SSAE 18 audit.  We provide our clients with 2 different options to this approach.

  1. The first option is designed for clients who either do not have the resources, time or maybe the internal resources that can evaluate their internal controls.  For this option, we offer our clients onsite consulting to assist your organization with the understanding of a SSAE 18 audit, the requirements as they are related to your industry and develop a roadmap to ensure a successful SSAE 18 audit.
  2. The second option is clients that are just looking for some guidance and wish to prepare for the SSAE 18 audit themselves.  Normally these are clients that have been through internal controls audits or have on-site resources with the understanding or audit and controls.  For this approach, we simply hold phone conferences and provide our clients with an audit framework that they can easily follow to help ensure the appropriate foundation is set to start the SSAE 18 audit process.

8.  How much does a SSAE 18 audit cost?

The cost of a SSAE 18 audit varies for each client because all SSAE 18 audits are different from the next.  However some of the factors that should be considered in the price of a SSAE 18 audit is the size of your organization, the complexity of the information systems under review, the type of services offered and possibly the location of your business.  Contact us for a quick and customize SSAE 18 audit quote.

9. How much time is required from the company’s staff to complete a SSAE 18 audit?

Preparation for first time SSAE 18 audits:

  • The required amount of time for your internal resources can significantly vary based on the size of your organization and the preparedness of your internal policies and procedures.  A company that has all of these processes documented and mapped out should be able to efficiently communicate their services to their auditors.  Some companies choose to hire a consultant to assist in the preparation of their SSAE 18 audit and some choose to prepare internally (see FAQ 1). 
  • Resource time for a required during the SSAE 18 Type I and Type II audits.
    1. SSAE 18 Type I:  A company can expect that a lead resource over each relevant business unit (System Admin, Network Administrator, Lead Developer, Human Resources, etc) should expect to devote 5 to 10 hours preparing for and working with the auditors.  This includes documentation gathering, responding to questionnaires and holding interviews/walkthroughs with your auditors.
    2. SSAE 18 Type 2:  The additional time for a SSAE 18 Type 2 audit is mainly allocated for preparing documentation request that your auditor audit selections.  Normally this documentation preparation can be allocated to a variety of resources from specific business units.  A SSAE 18 type 2 audit normally will require 50% more time than a Type 1 audit from your internal resources.
    3. Key Success Factors for an efficient SSAE 18 audit include but are not limited to the following:
      1. Sponsorship from management
      2. A project plan
      3. Designation of a SSAE 18 project lead
      4. Scheduling of required resources (members of business units)
      5. Utilization of experience and educated auditors
      6. Providing your auditor full and unrestricted access and resources to evaluate and audit services under review

10. How long does it take to complete a SSAE 18 audit

Timing varies depending on a number of factors included the preparedness of your organization, size and type of services under review.   However for most organizations that operate out of a centralize location we tell our clients that our audit process from the time we hold a kickoff call to the time they receive their audit report is no longer than 8 weeks in duration.  Of those 8 weeks normally we are only on site for 1 or 2 weeks.  Please refer to our methodologies for an explanation of the SSAE 18 audit process (link #3) and timeline.

11.   How Frequently do I need to undergo a SSAE 18 audit

Generally your clients will want a completed report on an annually basis.  Some clients decide to have a report completed every six months to coincide with their multiple of their clients financial reporting year end.  It is generally cost-effective to perform your audit on an annual basis, but if you need semi-annual audits this can be provided for a marginal increase of fees.

12.  Do I need a SSAE 18 Type I or Type I audit

Generally if your clients are publically traded companies they will require your organizations to have a Type II audit completed at least annually.  However, some private organizations will accept a Type I audit and many clients will complete a Type I SSAE 18 audit to help understand their control and provide third-party assurance to their clients.

13.  What is the difference between a SSAE 18 Type I and Type II audit?

  • SSAE 18 Type I is designed to provide an overview of Service Organization descriptions of internal controls and processes relevant to their customers.  The audit is helpful for Service Organizations to gain an understanding of the control and processes that are designed at the Service Organization.  A SSAE 18 Type I audit has an audit opinion and a description of services relevant to the services under review as of a point in time.   What does this mean?  An Independent Auditor provides an audit opinion describing that you have controls in place that are designed to meet the objectives of your service.
  • SSAE 18 Type II also provides a description of internal controls and processes relevant to their customers however the auditor also tests these controls over a period of time to verify that the internal controls and process actually occurring as the Service Organization intended.  How is this different from a Type II report?  Since your auditors provide an Opinion about the actual operation of controls, third parties are more likely to accept a Type II report versus a Type I report.

14.  What is the composition of a SSAE 18 audit reports?

There are 5 possible sections of a SSAE 18 audit report and included the following:

  1. Section 1: (Audit Opinion)
    1. Audit opinion is written with each SSAE 18 audit report to clearly explain the scope of the services under review and the overall outcome of the type of SSAE 18 report issued.
  2. Section 2: (Assertion Statement)
    1. Management of the service organization must provide a written assertion statement to support their System Description as a component of the SSAE 18 audit report. The assertion statement should address if the fairness of the presentation of the System Description if the controls were suitably designed and for SSAE 18 Type II audit if the controls operated effectively over the audit period.
  3. Section 3: (System Description)
    1. Within this section, a description of the company’s services under review is included and a detailed explanation about company’s policies and procedures, people, software, infrastructure and anything that supports the overall System Description for services under review.  Section 3 normally covers the following areas
      1. Overview of Operations
      2. Control Environment
      3. Risk Assessment
      4. Monitoring
      5. Communication
      6. Information System (includes relevant applications and supporting infrastructure)
      7. Control Objectives and Related Controls
      8. User Entities Control Considerations
  4. Section 4: (Applicable for Type 2 reports)
    1. Information Provided by the Service Auditor
      1. Control Objectives, Related Controls and Tests of Operating Effectiveness
  5. Section 5: Other Information Provided by the Service Organization
    1. Information that may be relevant to customers but was outside the scope of the SSAE 18 audit.


More Information