FAQs
Q: What is SSAE 16?
A: Statements on Standards for Attestation Engagements (SSAE) No. 16, also known as Service Organization Control Reports (SOC), is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. This standard replaced SAS 70 for reports issued after June 15, 2011.
Q: Who can perform an SSAE 16/SOC 1 Audit?
A: An SSAE 16/SOC 1 audit can only be performed by an independent Certified Public Accounting (CPA) firm. In fact, in Colorado it is unlawful for a non-CPA firm to issue an attest report. See Colorado Revised Statue 12-2-120 Unlawful Acts (6)(II)(B). SSAE 16/SOC 1 and SOC 2 are both attest reports. The first offense for a non-CPA firm that issues an attest report is a misdemeanor and the second offense is considered a felony. CPA firms that perform SSAE 16/SOC 1 audits must adhere to specific professional standards established by the AICPA. They are required to follow specific guidance related to planning, execution, and supervision of the audit procedures and the reporting of the results of the audit.
Q: Why would my organization need an SSAE 16/SOC Audit?
A: Data is precious and service users often request proof that service providers have sufficient controls and safeguards in place where user data is transmitted, processed, and/or stored. SSAE 16/SOC 1 audit reports satisfy these requests and provide unbiased feedback of the service provider organization, which aids in meeting quality and process control initiatives. Additionally, the requirements of Section 404 of the Sarbanes-Oxley Act make SSAE 16/SOC 1 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.
Q: What is the difference between Type I and Type II reports?
A: A Type I report represents a service organization’s description of controls at a specific point in time. A Type II report includes the service organization’s description of controls and detailed testing of the service organization’s controls over a minimum six-month period.
Q: How quickly can a SSAE 16/SOC be completed?
A: Generally speaking, Type I audits can usually be completed quickly, giving the service organization a report they can provide to their clients within as little as a few weeks. With Type II reports, there must be at least six months of auditable activity available as well as additional time in the audit procedures to complete testing of those control activities. Once the testing has been completed, the final report is finished and issued to the service organization within a couple of weeks. For both types of reports, the preparedness of the service organization can significantly impact the length of time needed to complete the audit and report.
Quality in Reporting
Linford & Company SSAE 16/SOC 1 and SOC 2 reports are relied on by some of the world's largest user organizations including numerous top five investment banks, top five commercial banks, and top five health insurance companies, just to name a few.
Our royalty audit services are engaged on many of the largest and best known manufacturing companies in the world.
In addition, our HIPAA/HITECH audits utilize the AICPA’s attestation standards for legal and regulatory compliance examinations to provide users with a reliable opinion on HIPAA/HITECH compliance, whether security, privacy, or both.
Contact Us
Have questions or want to discuss details, timing, or pricing related to your SSAE 16/SOC 1, SOC 2, royalty, and/or HIPAA/HITECH compliance examination?
 |
Colorado: +1 (720) 330 7201 Email: info@linfordco.com or visit the Contact Us page |