Well the authoritative source for a soc 1 audit is the american institute of certified public accountants aicpa statement on standards for attestation engagements number 18 ssae 18.
Ssae 18 control objectives.
1 reporting under section 112 of the federal deposit insurance corporation.
Moving to ssae 18.
Since ssae 18 has effectively replaced ssae 16 and also sas 70 and because the ssae 18 controls and related assertions need to be based on relevant internal control over financial reporting icfr service organizations need to constructively re think their control objectives.
Will be implemented by the subservice organizations and are necessary to achieve the control objectives.
What is ssae 18.
Changes for service organizations themselves revision what service organizations need to do differently csocs a complementary subservice organization control csoc is a control that management assumes will be implemented by their subservice organization.
The ssae 18 guidance primarily clarifies existing auditing standards.
18 requires the consideration of complementary subservice organization controls which are the controls for portions of the service organization s systems that are outsourced to other service organizations.
Type 2 report on the fairness of the presentation of management s description of the service organization s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Entity s internal control over financial reporting that is integrated with an audit of its financial statements and related attestation interpretation no.
Under the ssae 18 standard complementary user entity controls are now defined as those controls that are only necessary to achieve control objectives stated in management s description.
A clearer view of attestation standards for service organizations 1.
Specifically a soc 1 ssae 18 scoping and readiness assessment helps identify what business processes are to be included including icfr issues along with evaluating internal control processes and procedures documentation deficiencies technical security control weaknesses and more.