The SSAE 16/SOC 1 Type 1 Exam

Also known as the "Independent Service Auditor's Report on a Description of a Service Organization's System and the Suitability of the Design of Controls"

 

SSAE 16/SOC 1 Type 1 Exam

The AICPA standard that supersedes the "SAS 70 Audit" standard as of June 15, 2011. Also called an "assessment" or "audit", it provides independent, third-party verification of management's assertion that a service organization's policies and procedures were correctly designed at a point in time to achieve specified control objectives.

The Type 1 report that results from the exam provides a service organization's clients and their auditors' information about the controls that are in place that may be relevant to the user organization's internal controls with regard to financial reporting. A user organization's auditor may use the Type 1 report and other relevant information to gain a better grasp of its internal controls to plan a financial audit.

When to Consider a Type 1 Exam

  • A report is required for delivery in a short period of time to fulfill a contractual or Request For Proposal (RFP) requirement,
  • The service organization believes that the user organization will accept a Type 1 report as a road map for obtaining an SSAE 16 Type 2 assessment, or,
  • Cost is the main determinant in choosing the type of audit.

Audit Scope

The SSAE 16 attestation standard does not stipulate specific controls for examination. Each audit is therefore customized to the specific requirements of the service organization, and requires examination of controls specific to its services, as well as the IT controls, regulatory and contract requirements that sustain these services.

Accordingly, the service organization's definition of its control objectives, as well as the supporting control activities that permit it to meet its specified control objectives, determine the scope of the assessment.

The auditor examines controls to determine whether:

  • The control system descriptions are accurately depicted by management and whether the design of the controls is suitable;
  • The system descriptions prepared by management represent accurately all relevant aspects of the controls that are operational as of the report date; and,
  • The design of the controls provided reasonable assurance that upon satisfactory compliance of the controls, the specified control objectives will be achieved.

Deliverables

  • A hard copy and an electronic copy of the audit report
  • A report for internal use only containing detailed management recommendations noted as a result of the audit

Type 1 Report Contents

Auditor's Opinion letter, also called the "Independent Service Auditor's Report"

Descriptions of the controls and services provided by the organization that cover:

  • Management's assertion
  • General and application controls
  • Risk assessment process
  • Information and communication system overview
  • Monitoring procedures
  • Control environment

User control considerations, so the user organization will be aware of the controls that it is accountable for as a user of the services

Other relevant information supplied by the service organization's management, e.g., feedback regarding the service auditor's report.