As with SAS 70, service organizations continue to be responsible for defining control objectives, identifying controls, and for the description of the system. However, under SSAE 16/SOC 1, management now needs to provide an assertion that, among other things, states that the description fairly presents the system and that control objectives were designed and implemented to achieve the control objectives and (in a Type 2 Report) that controls were operating effectively during the examination period. This shifts a lot of the responsibility to management and puts them more “on the line” than SAS 70 did.
If you are transitioning to a SSAE 16/SOC 1 report, consider getting started now.
Planning early puts you in a good position to evaluate if you'll be able to provide the required assertion or if there are additional procedures needed.
- You can also address the risks that have been identified to determine if they are mitigated by controls and avoid any gaps and potential report qualifications as you move into your reporting period.
- Be sure management grasps the implications of the new report, has formalized the basis of its written assertion, and is satisfied that the system and control environment are sound.
- Evaluate this transition carefully. Consider your businesses and how to best align the new SOC reporting options to your needs, the needs of your clients, and to your overall marketplace strategies.
There are steps a service organization should take to re-evaluate and/or create its description of the system and to prepare for the issuance of the first SSAE 16/SOC 1 report.
Former SAS 70 reports are not always best aligned to a SSAE 16/SOC 1 report. The new SOC 2 and SOC 3 reporting options give you flexibility to provide the right type of report to customers and other stakeholders, enhance business relationships, and attract prospective clients.