How organizations comply with SSAE 18 i.e. SOC Compliance?

As per AICPA, ‘The Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service’ .

 

The service organizations which are like to compliant with ‘Statement on Standards for Attestation Engagement’ [SSAE 18] standards and SOC compliance, the type of Audit they need to undergo are depends on the services which they provides to their user entities. Irrespective of whether a company go for a SOC 1 Audit report or SOC 2 Audit report, these reports are signed by licensed CPA and they (service organization) can go for the auditing process by providing a description of the system and a written statement of attestation to the licensed CPA (Accorp Partners). The description of the system should includes information such as the services which the organization provides, their organization’s IT policies and procedures and the personnel who are involved in the scoped services of the Business process. As per the written statement of service organization’s attestation, the organization’s management team should put together a document to assert that their organization’s system and IT controls are designed and implemented in a way that achieves the goal of the organization.

Now under the SOC, there are two subtypes of reports — Type I and Type II. The simple difference between the two is that the SOC 1 Type I audits report is solely on the controls of a company at a specific point in time, while SOC Type II audits requires a more meticulous, thorough and time-taking review and analysis.

 SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.

 SOC 2 is based on service system trust principles and evaluates the business information system that relates to security, availability, processing integrity, confidentiality and privacy.

 SOC 3 is also based on system trust principles but does not go into as much detail as SOC2 and is primarily used as marketing material.