Let’s spend a few minutes getting back to basics. Why do your clients ask for a SOC 1/SSAE 16 report to be provided? Your clients ask because their auditors probably asked for it. So why do your auditors ask for this report? The roots for SSAE 16 can be traced back to SAS 70 and even further to SAS 55. The understanding of internal controls is a fundamental component of performing a financial audit. I spent time early in my career in the financial audit department which helps me explain to companies why a SOC 1/SSAE 16 report would be applicable or not to the company. In performing a financial audit, the auditor makes inquires of the company regarding their internal controls. Having an understanding of the internal control over financial reporting is a required component for the auditor to perform. If a service has been outsourced to another company, the auditor is required to understand the internal controls. This is so that they can understand the internal controls and assess control risk accordingly.
In determining whether or not a SOC 1/SSAE 16 is applicable, the company should determine how their services impact their client’s financial reporting. This would not include sending them a bill for services like your electric bill. The company should work with the service auditor to understand the impact on financial reporting. I recall from my CPA exam studying (back when I walked uphill both ways to school) the COVES acronym for financial statement assertions: Completeness, Obligations and Rights, Valuation, Existence, Statement of Presentation. I ask questions of the company to understand their services and how their client’s auditor would interpret the services affecting financial reporting. This will help confirm that the SOC 1/SSAE 16 report would be the correct reporting choice. The determination of the financial statement assertions affected by the company also provides guidance as to scope of the description of the system. The service organization determines the scope of the control objectives to be tested but it is up to the service auditor to provide reasonable assurance that the description of the system is complete and accurate given the services provided.
Sometimes as auditors we lose track of the fundamentals of the purpose of SOC 1/SSAE 16 reports and I wanted to make sure we remember what the purpose of the report is. It is to be relied upon by financial auditors to understand the controls at a service organization that affect the financial reporting of their clients.