Service Organization Control (SOC) 1 reports will be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 is effectively replacing the SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Much like SAS 70, SSAE 16 provides two (2) reporting options; Type 1, a report on a service organization's system and the suitability of the design of controls", while an SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls". Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
The AICPA will be releasing an audit guide in the spring of 2011 (Applying SSAE No. 16, Reporting on Controls at a Service Organization) to help assist auditors and interested parties alike in better planning for the new changes brought about by the SSAE 16 standard.
SSAE 16 Type 1 and Type 2 reports under the SOC 1 reporting framework represent an effort by the AICPA to utilize this new attestation standard in the very manner for which the original SAS 70 standard was designed for, which is “reporting on controls” related to that of financial matters. As such, look for SSAE 16 Type 1 and Type 2 reports to be furnished for service organizations that are undertaking activities and relevant procedures that have the potential to directly impact a client’s financials.
Note: It's fair to assume that the commonly accepted phrases for SOC 1 Reporting will simply be known as SSAE 16 Type 1 Reports and SSAE 16 Type 2 Reports.
Thus, you will need to familiarize yourself with all aspects of the SSAE 16 standard, such as the following: