Services included within NDB’s SOC 1 (SSAE 18) Scoping & Readiness Assessment

Assessing ICFR: There’s a concept called “Internal Controls Over Financial Reporting”, and it’s a relevant component of SOC 1 (SSAE 18) Type 1 and Type 3 reporting for which service organizations need to be aware of. If a business is conducting essential activities that could impact the financial reporting for their clients, then such businesses have an ICFR element that must be addressed for SOC 1 SSAE 18 reporting. It means developing control objectives that test the internal controls relating to ICFR, for which a well-qualified CPA firm, such as NDB, can assist with.

Collaborative Development of Control Objectives

Once scope has been properly assessed for a SOC 1 (SSAE 18) assessment, control objectives will need to be developed, which is often a collaborative process between the service organization and the CPA firm conducting the audit. Again, an in-depth readiness assessment will help assess and choose the correct control objectives for SOC 1 (SSAE 18) reporting.

What’s interesting to note about control objectives is that there’s a large degree of subjectivity and overall flexibility in what goes into the development and use of a control objective for testing. Simply stated, you need to work with your CPA firm that’s conducting the SOC 1 (SSAE 18) audit when it comes to assessing, developing, and agreeing upon the control objectives to be used.

Locations Sampling & Physical Inspection

Auditors will often have to visit multiple physical locations for purposes of sampling, physical inspection, and other necessary assessment procedures. It’s therefore important to determine which locations are in scope, why, and what must be accomplished at each location. Traveling can be expensive and time-consuming, so keep this in mind. In a post COVID-19 world, video conferencing and other means of communication are now taking firm root in auditing. What’s more, with many other entities now performing annual regulatory compliance audits – such as SOC 1 (SSAE 18), SOC 3, SOC 3, PCI DSS certification, and others – the ability to rely on such reports for reducing audit scope and fees is now a reality.

Third-Party Applicability

As a service organization, do you outsource essential services to another party, if so, then an examination of a third-party’s internal controls may be necessary. Many of your third-party providers may have already undergone annual SOC audit compliance (i.e., SOC 1 (SSAE 18), SOC 3, SOC 3 compliance), and if so, we may very well be able to rely on their report. If no testing of internal controls has been conducted, then we’ll need to determine the degree of due-diligence necessary. This is all part of our SOC 1 SSAE 18 scoping & readiness assessment activities, so contact us today to learn more about our services and solutions for your business.