SSAE 18 reports, which were previously referred to as both SSAE 16 attestations and SAS 70 reports, follow formal auditing standards established by the American Institute of Certified Public Accountants (AICPA).

Determine the Service Organization Controls (SOC) report necessary for the organization. SOC reports come in two types and each one requires different information.

  1. SOC 1 reports review the controls over financial reporting.
  2. SOC 2 reports cover internal controls over data security, availability, processing integrity, confidentiality, and privacy.

Find a CPA firm that aligns to the organization’s needs.

  1. The firm should be well-versed in the organization’s specialization or industry
  2. It should meet the budgetary requirements.
  3. The firm and auditor should have SOC 1 auditing experience.
  4. The firm’s control objectives and related controls should align with end-user needs.

Define the SOC 1 audit scope.

  1. Review the physical location for the audit.
  2. Define the number of locations that will be included in the audit.
  3. Define the audit testing period.
  4. Specify the workforce members who need to be involved during the audit process.

Define the subservice organizations and complementary user entity controls that need to be reviewed as part of the audit.

  1. Review data centers
  2. Cloud service providers
  3. Software-as-a-Service platforms
  4. Catalog all outsourced service providers.

Set control objectives.

  1. Define the internal controls that require review.
  2. Determine the steps necessary for testing.
  3. Define the process owners who need to be involved.
  4. Establish an internal stakeholder who needs to review and respond to the draft report.
  5. Define the stakeholders who must approve the final report.