What Is an SSAE 16 Report? (Now a SOC 1 Report)

An SSAE 16 report served as an assurance report on controls at service organizations. These reports provided user entities and their financial statement auditors with information about controls relevant to internal control over financial reporting (ICFR). While many still search for “SSAE 16,” this standard has been superseded. The current standard for these engagements is SSAE 18, and the resulting reports are formally referred to as SOC 1 (Service Organization Control 1) reports.

SSAE 16 and Its Evolution to SOC 1

Effective May 1, 2017, SSAE 18 (Statement on Standards for Attestation Engagements No. 18) replaced SSAE 16, clarifying and recodifying attestation standards to align with international practices and streamline the process. What was previously known as an SSAE 16 report is now formally issued as a SOC 1 report under the SSAE 18 framework.

A “service organization” in this context refers to a company that provides services to other organizations that are relevant to those organizations’ financial reporting. Examples include payroll processors, data centers, medical claims processors, cloud service providers, and Software-as-a-Service (SaaS) companies whose services can impact a client’s financial data. The objective of a SOC 1 report is to provide assurance to these user entities and their auditors regarding the effectiveness of controls at the service organization that are relevant to the user entities’ ICFR. This assurance helps user entities comply with regulations, such as the Sarbanes-Oxley Act, by providing a detailed review of controls that affect their financial statements.

The Importance of SOC 1 Reports

SOC 1 reports hold significant value for both service organizations and the user entities they serve. For service organizations, obtaining a SOC 1 report demonstrates a commitment to maintaining robust internal controls over processes that affect client financial reporting. This independent verification can build trust with existing and prospective clients, serving as a competitive differentiator in the marketplace. It also allows service organizations to provide assurance to numerous clients efficiently, avoiding the need for individual audits from each customer.

User entities, which are the clients of these service organizations, find SOC 1 reports to be an invaluable tool for their own financial statement audits. Many organizations outsource functions that directly impact their financial data, such as payroll processing or IT hosting.

A SOC 1 report enables user entities’ auditors to evaluate the design and operating effectiveness of controls at the service organization without having to conduct a separate, costly audit of the service organization themselves. This reliance streamlines the audit process for user entities, contributing to efficiency and cost savings. The report provides transparency into the service organization’s control environment, helping user entities manage risks associated with outsourced services and ensure their own regulatory compliance.

Key Elements of a SOC 1 Report

A SOC 1 report comprises several standard components. One primary section is the independent service auditor’s report, which contains the auditor’s opinion. This opinion addresses the fairness of the service organization’s description of its system and the suitability of the design and, in some cases, the operating effectiveness of its controls. The auditor’s opinion can be unqualified, indicating controls are effective, or qualified if issues are found.

The report also includes a “Description of the Service Organization’s System,” prepared by the service organization itself. This section details the services provided, the system used to deliver those services, and the control objectives that the controls aim to achieve. It outlines the processes and procedures within the audit’s scope.

Within the description, “Control Objectives” outline the goals that the service organization’s controls are intended to meet, such as ensuring the accuracy of payroll processing or restricting access to sensitive data. The “Controls” section then describes the specific activities and procedures implemented to achieve these objectives. These controls can include various measures like segregation of duties, access controls, and reconciliation activities.

Another important element is the inclusion of “Complementary User Entity Controls” (CUECs). These are controls that the service organization assumes the user entity will implement to ensure the overall control objectives are met. For instance, a service organization might assume the user entity is responsible for managing user access to its system or securely transmitting data. The report may also feature “Other Information Provided by the Service Organization,” which offers additional context and details.

Type 1 Versus Type 2 Reports

SOC 1 reports are issued in two distinct types: Type 1 and Type 2, each providing a different level of assurance. A Type 1 report focuses on the suitability of the design of controls at a specific point in time. It includes a description of the service organization’s system and the service auditor’s opinion on whether the controls are suitably designed to achieve the control objectives as of a particular date. This report acts as a “snapshot” and does not include testing of the operating effectiveness of controls over a period.

In contrast, a Type 2 report offers a more comprehensive evaluation. It includes all the elements of a Type 1 report, but it also provides the service auditor’s opinion on the operating effectiveness of controls over a specified period. For a Type 2 report, the auditor performs detailed testing of the controls to determine if they operated effectively throughout the entire period under review. This involves examining evidence that the controls were consistently applied.

For user entities and their auditors, each report type has significant implications. A Type 2 report provides a higher level of assurance because it confirms not only that controls are well-designed but also that they have been operating effectively over time. This makes Type 2 reports more valuable for audit purposes, as they allow user auditors to place greater reliance on the service organization’s controls when auditing the user entity’s financial statements. While a Type 1 report can be useful for initial assessments or when new controls are implemented, a Type 2 report offers a more robust validation of control effectiveness.