IT Examiner School, Providence, RI

SOC Report Types

• Type I Report: – Focuses on a description of a service organization’s system and on the suitability of the design of its controls to achieve the related control objectives included in the description, as of a specified date. – This is considered an “around-the-computer” technique. – A Type I report does no control testing.

SSAE 16 Report Sections

• There are three required sections in an SSAE 18 report: – The first section should provide an overview of the auditor’s opinion as to the implementation and functionality of the internal controls. – The second section is typically management’s description of existing controls. – The third section describes the auditor’s procedures as they apply to SSAE 16 standards and the type of testing procedures that were performed of each control asserted in the second section.