SSAE18 & SOC2
What is SSAE18?
If your business is a service organization which processes financial-reporting-relevant information for your clients, you may be required to produce a Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, sometimes referred to as the Service Organization Controls Report 1 (SOC 1).
What does SSAE18 require?
There are two types of SOC 1 reports: Type I and Type II. The Type I report, which generally includes the independent service auditor opinion letter/report, a management assertion statement, and a system description as of a particular date, plus additional optional information from the independent service auditor, including a description of the operating effectiveness tests carried out; and additional optional information provided by the organization. The Type II report, which generally is required annually if your clients are publically traded companies, is similar, also includes as a requirement additional information from the independent service auditor, including a description of operating effectiveness tests carried out over at least a six month period; and additional optional information provided by the organization.
How can Pointe Solutions help you with your SSAE18 audit?
We understand that it can take a great deal of time and effort to determine, plan, and implement the policies, processes and controls examined during a SSAE18 audit, time and effort that many businesses cannot afford to take away from day to day operations. Therefore, as well as of course actually carrying out the audit, the team at Pointe Solutions can offer as much or as little assistance as you require to support you during preparation- everything from simple offsite advice and guidance to full onsite preparation services.
What is SOC2?
The Service Organization Control (SOC) 2 Report addresses a business’ controls associated with non-financial-reporting-relevant information i.e. is relevant to service organizations that handle in any way any information on behalf of their clients, which is operationally but not financially relevant. Therefore, if any of your clients requests an SSAE18 from your company, but you do not handle information which would be relevant to their financial reporting, you would need to provide a SOC2 report.
What does SOC2 compliance look like?
A SOC 2 report is an engagement performed under the AT section 101, is based on the Trust Services Principles Criteria and Illustrations (TSPs) and as such assesses information systems that are relevant to security, availability, processing integrity, confidentiality or privacy. It isn’t necessary for an organization’s SOC2 report to address all the principles, only those relevant to the actual services they provide. SOC2 Compliance thus requires, in line with an organization’s commitments and agreements, their systems to be some or all of the following: protected, both logically and physically, against unauthorized access, use or modification; available for operation and use; process data in a complete, valid, accurate, timely, and authorized manner; able to protect information designated as confidential; and ensure personal information is properly collected, used, retained, and disclosed. How this is achieved is up to the organization, and so each organization is free to determine and document the controls which need to be in place relevant to their business as they see fit.
How can Pointe Solutions help you with your SOC2 audit?
The role of the SOC2 audit is to verify that the controls put in place by an organization are appropriate given the requirements of the TSPs and the nature of the services provided. Therefore, SOC2 reports differ from organization to organization and, whilst the ability to specify the controls which are relevant to a business can seem at first quite freeing, it also introduces additional risk and means senior management time can be taken up with understanding the requirements in detail and then determining which controls need ot be in place. The team at Pointe Solutions can help you manage this by, as well as of course providing the audit services themselves, also providing pre-audit consultancy services, designed to ensure the controls which are in place, and which will be assessed within the SOC2 audit, are the right ones from the start.