The SSAE 16/SOC 1 Type 2 Exam
Also known as the "Type 2 Service Auditor's Report" or "Independent Service Auditor's Report on Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls"
The SSAE 16/SOC 1 Type 2 Exam provides independent, third-party verification of management's assertion that a service organization's policies and procedures were correctly designed and were operating effectively enough throughout the period (typically 6 to 12 months) in order to achieve the specified control objectives.
Normally requested by the service organization's clients and their auditors, the Type 2 report that results from the exam is considered the standard for using an independent auditor's (the service auditor) work as a replacement for conducting first-hand testing in relation to financial audits or Sarbanes-Oxley compliance.
Service Organization Candidates
- Those that render services with a direct or considerable impact on clients' financial reporting,
- Those contractually bound to provide a Type 2 report to clients,
- Those without an internal audit department that wish to use the Type 2 report as part of an alternative for auditing their operational and IT controls, or,
- Those with publicly listed corporate clients that adhere to Sarbanes-Oxley compliance initiatives.
The SSAE 16/SOC 1 standard does not provide for a specified set of controls that must be scrutinized during examination. Each audit is therefore customized to the specific requirements of the service organization, and requires examination of controls specific to its services, as well as the IT controls, regulatory and contract requirements that sustain these services.
Accordingly, the service organization's definition of its control objectives, as well as the supporting control activities that permit the organization to meet its specified control objectives, determine the scope of the assessment.
The auditor examines controls by:
- Obtaining management's written assertion on the service organization's description of controls;
- Requesting the service organization's description of controls;
- Inspecting the service organization's description of controls;
- Observing the service organization's controls; and
- Re-performance testing of the service organization's controls.
Once the above processes are complete, the auditor will offer opinion over management's assertion as to whether:
- The description of the controls provided by the service organization accurately depicts all material and relevant aspects of its controls that are designed and implemented during the period;
- The controls were adequately designed to provide reasonable assurance that their effective operation would achieve the specified control objectives; and,
- The tested controls operated effectively and offer reasonable assurance that the specified control objectives were met during the period.
The SSAE 16/SOC 1 Exam report to provide to the service organization's clients
A management letter for internal use only containing detailed recommendations noted as a result of the audit
Type 2 Report Contents
Auditor's Opinion letter, also called the "Independent Service Auditor's Report"
Descriptions of the controls and services provided by the organization that cover:
General and application controls
Risk assessment process
Information and communication system overview
User control considerations, so the user organization will be aware of the controls that it is accountable for as a user of the services
Other relevant information supplied by the service organization's management, e.g., any exceptions to the controls testing