Before you actually begin the SOC 1 SSAE 18 process – either a Type 1 or a Type 2 – it’s important to gain a strong technical understanding of many facets of the assessment framework itself. Let’s address some of the most pressing questions and comments we receive regarding SOC 1 SSAE 18 compliance below:
1. SOC 1 vs. SOC 2: The main difference between SOC 1 and SOC 2 is that SOC 1 reporting is often geared towards businesses performing functions that have financial impact considerations for their clients, while SOC 2 is aimed at technology companies – data centers, SaaS entities, and more. With SOC 1 SSAE 18 compliance, the concept of ICFR – Internal Controls Over Financial Reporting – should form the basis of the assessment.
More specifically, if you as a service organization are performing critical functions for your clients that could impact their financial reporting, then SOC 1 SSAE 18 is the preferred assessment to perform. This means you’ll need to work with a CPA firm in helping identify what the relevant ICFR control objectives are for purposes of assessing and ultimately testing of them.
2. Type 1 vs. Type 2: SOC 1 SSAE 18 Type 1 reports are issued for a specific date in time – such as January 31, 20xx. As for Type 2 reports, they cover an actual test period, which is often six months, but can be longer, or even shorter. Beginning with a Type 1 assessment and then moving towards annual Type 2 compliance – especially for service organizations new to SOC 1 reporting, is highly recommended. Additionally, for purposes of regulatory compliance, most of your clients will be seeking Type 2 reporting as this provides a greater level of assurance for one’s internal controls as opposed to just a point-in-time Type 1 audit.
3. Type 2 “Test Period”: While the traditional test period for SOC 1 SSAE 18 Type 2 and SOC 2 Type 2 assessments is generally six (6) months, you can – as stated earlier – shorten or lengthen the test period, it just depends on your reporting needs. What’s also important to remember is that “population” and “sampling” come into play for Type 2 audits as auditors routinely have to request sample sizes from a defined population for various areas, such as change control, the number of employees provisioned and de-provisioned, data backups, etc. A Type 2 audit is a notable step up from a Type 1, so keep this in mind.
5. Remediation Considerations: Remediation is often a two (2) part process that consists of operational and documentation remediation, along with security and technical remediation. As for the operational and documentation remediation, we’re talking about information documents – critical policy material for which auditors will request during the audit process. As for the second part, we’re talking about technical documentation, such as provisioning servers, changing password parameters, and much more.
NDB – Washington D.C.’s Compliance Experts – Fixed Fee Pricing
When it comes to finding a high-quality, proven regulatory compliance firm that services businesses all throughout the Washington DC, Maryland, and Northern Virginia metro area, the choice is NDB. With fixed-fee pricing and a national track record of excellence, we can offer the services and solutions for helping your organization become SOC 1 SSAE 18 compliant. We also offer numerous other compliance services, such as SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more.