NDB provides comprehensive SOC 1 (SSAE 18) scoping & readiness assessments for service organizations new to the AICPA Service Organization Control (SOC) framework. Recent changes to the overall AICPA auditing standards have resulted in the use of SSAE 18 as the professional standards for SOC reports dated on or after May 1, 2017. With such changes, many businesses have numerous questions regarding the overall intent and reporting processes for SOC 1 SSAE 18 audits, so turn to the experts at NDB for proven and trusted assistance.
We offer comprehensive SOC 1 SSAE 18 scoping & readiness assessments for service organization all throughout North America – and the globe – that assist in properly planning, remediating, and executing on all aspect of the SOC reporting requirements. Services included within NDB’s SOC 1 (SSAE 18) scoping & readiness assessment include the following:
Assessing ICFR: There’s a concept called “Internal Controls Over Financial Reporting”, and it’s a relevant component of SOC 1 (SSAE 18) Type 1 and Type 2 reporting for which service organizations need to be aware of. If a business is conducting essential activities that could impact the financial reporting for their clients, then such businesses have an ICFR element that must be addressed within for SOC 1 SSAE 18 reporting. It means developing control objectives that test the internal controls relating to ICFR, for which a well-qualified CPA firm, such as NDB, can assist with.
Collaborative Development of Control Objectives: Once scope has been properly assessed for a SOC 1 (SSAE 18) assessment, control objectives will need to be developed, which is often a collaborative process between the service organization and the CPA firm conducting the audit. Again, an in-depth readiness assessment will help assess and choose the correct control objectives for SOC 1 (SSAE 18) reporting. What’s interesting to note about control objectives is that there’s a large degree of subjectivity and overall flexibility in what goes into the development and use of a control objective for testing. Simply stated, you need to work with your CPA firm that’s conducting the SOC 1 (SSAE 18) audit when it comes to assessing, developing, and agreeing upon the control objectives to be used.
Locations: Auditors will often have to visit multiple physical locations for purposes of sampling, physical inspection, and other necessary assessment procedures. It’s therefore important to determine which locations are in scope, why, and what must be accomplished at each location. Travelling can be expensive and time-consuming, so keep this in mind. What’s more, with many other entities now performing annual regulatory compliance audits – such as SOC 1 (SSAE 18), SOC 2, SOC 2, PCI DSS certification, and others – the ability to rely on such reports for reducing audit scope and fees is now a reality.
Third-Party Applicability: As a service organization, do you outsource essential services to another party, if so, then an examination of a third-party’s internal controls may be necessary. Many of your third-party providers may have already undergone annual SOC audit compliance (i.e., SOC 1 (SSAE 18), SOC 2, SOC 3 compliance), and if so, we may very well be able to rely on their report. If no testing of internal controls has been conducted, then we’ll need to determine the degree of due-diligence necessary. This is all part of our SOC 1 SSAE 18 scoping & readiness assessment activities, so contact us today to learn more about our services and solutions for your business.
More than just Compliance: As auditors, we’re not doing our job if all we provide is baseline minimum recommendations and best practices for SOC 1 (SSAE 18) compliance for your organization. It’s much more than that, it’s about ensuring the safety and security of all organizational assets, which means we provide you with a lengthy list of recommendations that generally go above and beyond the audit. Specifically, compliance with SOC 1 (SSAE 18) often requires service organizations to acquire and implement various security tools, such as vulnerability scanning, two-factor authentication, audit monitoring and logging, and various other tools. We have a wide network of proven and trusted third-party vendors offering such tools at cost-effective rates, so contact us today to learn more.