SOC 1 (SSAE 16) Examinations

PRIMARY CONTACTS: Michael Renzelman CPA (Columbus), Steven Thompson CPA (Pittsburgh), Eric Wright CPA, CITP (Pittsburgh), Donald Owens CPA, CITP, CIA, CFF, CBA, CFSA, CRMA (Columbus)

SSAE No. 16 is the accounting profession’s authoritative guidance for an independent examination on controls at a service organization relevant to customers’ (user entities) internal controls over financial reporting.  The SOC 1 (SSAE 16) examination is specifically designed to meet the needs of the entities that use service organizations (user entities) and to meet the needs of the CPAs who audit these entities’ financial statements (user auditors), as they evaluate the effect of the controls at the service organization on user entities’ financial statements. Use of these reports is restricted to the management of the service organization, user entities and user auditors.

Types of SOC 1 Engagements

Readiness Assessment: these reviews are designed to assist service organizations in assessing their preparedness for a SOC 1 examination.  Readiness Assessments are non-attest consulting engagements that are designed to identify gaps in controls and advise the service organization of necessary corrective actions in preparation of the SOC examination.   Schneider Downs works closely with the service organization to ensure mutual agreement on the control objectives and the risks significant to user organizations.

Type I – report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.  The SOC 1, Type 1 may be beneficial for organizations that have never completed an examination, as it assesses the design of controls at a specified date. 

Type II – report on fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout the specified period.  The SOC 1, Type 2 examination is typically suggested for organizations that have been through a readiness assessment or previously completed a Type 1 examination, as it assesses both the design and operating effectiveness of controls over a period of time. 

Read about SOC 2 and SOC 3 examinations and the overall SOC Practice at Schneider Downs.