Examination Type: Type 2
Review Date / Period: July 1, 2016, to March 31, 2017
Service Auditor: Schellman (BrightLine CPAs & Associates, Inc.)
SOC 1 Background Information:
"SSAE" is an acronym for for Statement on Standards for Attestation Engagements.
SSAE No. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801) is an attestation standard that establishes the requirements and guidance for reporting on controls at a service organization relevant to user entities internal control over financial reporting.
SSAE No. 16 superseded the SAS 70 audit standard in mid-2011. It is the adopted version of the International Standards for Assurance Engagements (ISAE) No 3402, Assurance Reports on Controls at a Service Organization, for use in the United States.
The controls addressed SSAE No. 16 are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities.
By engaging an independent CPA to examine and report on a service organization's controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance, as well as financial reporting at those user entities. To provide the framework for CPAs to examine controls and to help management understand the related risks, the AICPA has established three Service Organization Control (SOC) reporting options. The three types of SOC reports within the structure are as follows:
SOC I: Reporting on Controls at a Service Organization (also known as SSAE 16)
SOC 2: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
SOC 3: SysTrust for Service Organizations
The term "SOC 1" is interchangeable with the term "SSAE 16" but may also refer to a report prepared in accordance with both SSAE 16 and ISAE 3402.
SOC 1 examinations may only be performed by a licensed CPA firm. The CPA firm that reports on controls at a service organization is often referred to as the service auditor.
NatPay is the "service organization" under review. A service organization is the organization or segment of an organization that provides services to user entities.
User entities are the entities that use a service organization's services. Generally speaking, these are always entities that were customers of the service being examined during the review date / period of the examination.
SOC 1 reports are restricted use reports, which means that the authorized users of the report are generally management of NatPay, user entities of the service during the time period of the examination, and the independent auditors of the user entities.
There are two types of SSAE 16 examinations. SOC 1 reports that opine on management's description of a service organization's system and the suitability of the design of controls are referred to as "Type 1" reports. These examinations always have a review date. SOC 1 reports that opine on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls are referred to as "Type 2" reports. These examinations always have a review period.