Under the new AICPA reporting standards, an audit that is conducted under SSAE 16 will result in a Service Organization Control (SOC) 1 report. These reports are focused on controls relevant to internal control over financial reporting. In essence, a SOC 1 report will be the form of reporting once the SSAE 16 audit is complete.
SOC 1 reports will be available as Type 1 or Type 2 reports. Type 1 reports present the auditors’ opinion regarding the accuracy and completeness of management’s description of the system or service as well as the suitability of the design of controls as of a specific date. A Type 2 SOC 1 report includes the Type 1 criteria AND audits the operating effectiveness of the controls throughout a declared time period, generally between six months and one year.
1. Assurance to clients – A Type II SSAE 16 provides assurance to user organizations that the control objectives relating to the services provided by their service organization are suitably designed and operating effectively throughout the examination period. The report includes an opinion from an independent auditor on the design and operating effectiveness of relevant internal controls at a service provider.
2. Security and Internal Controls – SSAE 16s can help identify gaps in internal control. If issues are identified during the examination, a service organization can improve their controls and/or business processes by remediating any identified issues.
3. Business Development – An SSAE 16 may be provided to prospective customers or clients to give information about a service organization’s internal control environment and provide assurance that internal controls are working as designed.
Thanks to Jon Long for the correction regarding security assurance. Please see comments below.