1.866.669.6561

check

SOC 1 Type 1 Independent Service Auditor's Report | SSAE 16 Type 1

Independent Service Auditor’s Report on a Description of a Service Organization’s System and the Suitability of the Design of Controls

To: (Example Service Organization)

We have examined (Example Service Organization)’s description of its [type or name of] system for processing user entities’ transactions [or identification of the function performed by the system] as of May 31, 2012, and the suitability of the design of controls to achieve the related control objectives stated in the description. The description indicates that certain complementary user entity controls must be suitably designed and implemented at user entities for related controls at the service organization to be considered suitably designed to achieve the related control objectives. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.

On page XX of the description, (Example Service Organization) has provided an assertion about the fairness of the presentation of the description and suitability of the design of the controls to achieve the related controls objectives stated in the description. (Example Service Organization) is responsible for preparing the description and for its assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description.

Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance, in all material respects, about whether the description is fairly presented and the controls were suitably designed to achieve the related control objectives stated in the description as of May 31, 2012.

An examination of a description of a service organization’s system and the suitability of the design of the service organization’s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description of the system and the suitability of the design of the controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed to achieve the related control objectives stated in the description. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at page [aa].

We did not perform any procedures regarding the operating effectiveness of the controls stated in the description and, accordingly, do not express an opinion thereon.

We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions [or identification of the function performed by the system]. The projection to the future of any evaluation of the fairness of the presentation of the description, or any conclusions about the suitability of the design of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become ineffective or fail.

In our opinion, in all material respects, based on the criteria described in (Example Service Organization)’s assertion,

a.    the description fairly presents the [type or name of] system that was designed and implemented as of May 31, 2012, and

b.    the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively as of May 31, 2012.

This report is intended solely for the information and use of (Example Service Organization), user entities of (Example Service Organization)’s [type or name of] system as of May 31, 2012, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when obtaining an understanding of user entities information and communication systems relevant to financial reporting. This report is not intended to be and should not be used by anyone other than these specified parties.

[Service auditor’s signature]

[Date of the service auditor’s report]

[Service auditor’s city and state] 

More Information