Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1(R)) - Guide
This updated and improved guide is designed to help CPAs effectively perform SOC 1® engagements under AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, of Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.
With the growth in business specialization, outsourcing tasks and functions to service organizations has become increasingly popular, increasing the demand for SOC 1 engagements.
This guide will help you do the following:
- Gain a deeper understanding of the requirements and guidance in AT-C section 320 for performing SOC 1 engagements.
- Obtain guidance from top CPAs on how to implement AT-C section 320 and address common and practice issues.
- Provide best in class services related to planning, performing, and reporting on a SOC 1 engagement.
- Successfully implement changes in AT-C section 320 arising from the issuance of SSAE 18, which is effective for reports dated on or after May 1, 2017.
- Determine how to describe the matter giving rise to a modified opinion by providing over 20 illustrative paragraphs for different situations.
- Understand the kinds of information auditors of the financial statements of user entities need from a service auditor's report.
- Implement the requirement in SSAE No. 18 to obtain a written assertion from management of the service organization.
- Organize and draft relevant sections of a type 2 report by providing complete illustrative type 2 reports that include the service auditor’s report, management’s assertion, the description of the service organization’s system, and the service auditor’s description of tests of controls and results.
- Develop management representation letters for SOC 1 engagements.
- Updated for SSAE No. 18 and to reflect lessons learned in practice, this guide has been fully conformed to reflect changes resulting from SSAE No. 18, the clarified attestation standards.
- Contains insight from expert authors on the Service Organizations Task Force composed of CPAs that all perform SOC 1® engagements and updates the guide with lessons learned in practice.
- Includes illustrative report paragraphs describing the matter that gave rise to the report modification for a large variety of situations.
Additionally, this guide discusses and covers implementation challenges. In SSAE No. 18, the applicable requirements and application guidance for a service auditor’s engagement are contained in three different sections: AT-C section 105, Concepts Common to All Attestation Engagements, AT-C section 205, Examination Engagements, and AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. The information in each section is not repeated in the other sections, so a service auditor would have to focus on all three sections. This guide integrates the requirements and application guidance in the three sections in the discussion of service auditors’ engagements.
There is no longer an early implementation issue because SSAE No. 18 is effective for service auditor’s reports dated on or after May 1, 2017, so practitioners are already performing engagements that cover years in which SSAE No. 18 would be effective (that is, years beginning on or about May 1, 2016).
Who Will Benefit?
- Practitioners performing SOC 1® engagements
- Management of entities that have SOC 1® engagements being performed and auditors relying on SOC 1® reports may also find this guide useful