Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

The attestation of service providers’ internal controls is an integral part of audits of companies utilizing cloud service providers. As companies increasingly rely on third-party providers operating “in the cloud,” third-party cloud storage providers must have sufficient controls in place with regard to a company’s financial operations and financial audits

There are three types of SOC reports that can be issued in the aftermath of the SSAE 16 standards, and audit professionals must understand and communicate the scope of each type of report. SOC 1 reports examine and attest to those controls of service organizations that can directly affect the financial statements of the utilizing company. The SOC 1 report is an auditor-to-auditor communication, used to provide user auditors with detailed information about controls at a service organization that impact information provided to user entities.

There are two types of SOC 1 reports. A Type 1 examination looks at controls the service organization has in place on a fixed date. Most companies engaging service organizations will insist on a Type 2 report, which assesses the effectiveness of the service organization’s controls over a period in time, known as the “test period.” Audit professionals need to be able to design relevant testing protocols over an appropriate test period to effectively conduct Type 2 assessments.

Listen as our experienced panel provides a comprehensive and practical guide to conducting SOC 1 attest engagements, detailing best practices for designing test samples and proper reporting standards.

1. Uses and framework for SOC 1 reports
2. IT considerations for audit and attest professionals in preparing SOC 1 reports
3. Testing and sampling criteria and considerations
4. SOC 1 Type 2 report special considerations
   1. Internal audit function
   2. Monitoring
   3. Subservice organization reporting
5. Additional reporting options under SSAE 16

The panel will discuss these and other important issues:

• Differentiating SOC 1 reports from SOC 2 and SOC 3 engagements
• How SOC 1 reports under SSAE 16 differ from previous SAS 70 standards
• Incorporating subservice organization assessments into SOC 1 reports
• What other issues must auditors address in issuing SOC 1 Type 2 attestation reports?

Learning Objectives

After completing this course, you will be able to:

• Identify the circumstances in which a SOC 1 Type 2 report will be required by a service organization client
• Recognize design testing protocols and define a test period for a SOC 1 engagement
• Determine whether subservice organizations need to conduct their own SOC 1 assessment as part of a Type 2 attestation
• Recognize and avoid common mistakes and misconceptions in conducting a SOC 1 engagement

• Field of Study: Auditing
• Level of Knowledge: Intermediate
• Advance Preparation: None
• Teaching Method: Seminar/Lecture
• Delivery Method: Group-Internet (via computer)
• Attendance Monitoring Method: Attendance is monitored electronically via a participant's PIN and through a series of attendance verification prompts displayed throughout the program
• Prerequisite: Basic knowledge of taxation.

Strafford Publications, Inc. is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of Accountancy have final authority on the acceptance of individual courses for CPE Credits. Complaints regarding registered sponsons may be submitted to NASBA through its website: www.nasbaregistry.org.