SSAE 18 Soc 1 Type 2

SSAE 18 Soc 1 Type 2 Examination Information

Examination Scope: Doculivery Online Document Management and Automated Clearing House (ACH) Third Party Processing Services

 
Examination Type: Type 2

Review Date / Period: October 1, 2022 to March 31, 2023

Service Auditor: Schellman & Company, LLC

SOC 1 Background Information:
 

In 2017, SSAE 16 was superseded by SSAE 18 as part of the AICPA’s clarity project around attestation reporting. Reports should still be referred to as SOC 1 reports, as the underlying standards have always governed the service auditors, not the service organization.

The controls addressed in a SOC 1 examination are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities.

By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance, as well as financial reporting at those user entities. To provide the framework for CPAs to examine controls and to help management understand the related risks, the AICPA has established three System and Organization Control (SOC) for Service Organization reporting options. The three types of SOC for Service Organizations reports within the structure are as follows:

SOC 1: SOC for Service Organizations: Internal Control Over Financial Reporting

SOC 2: SOC for Service Organizations: Trust Services Criteria

SOC 3: SOC for Service Organizations: Trust Services Criteria for General Use Report

The term “SOC 1” may also refer to a report prepared in accordance with both SSAE 18 and ISAE 3402.

SOC 1 examinations may only be performed by a licensed CPA firm. The CPA firm that reports on controls at a service organization is often referred to as the service auditor.

National Payment Corporation is the “service organization” under review. A service organization is the organization or segment of an organization that provides services to user entities.

User entities are the entities that use a service organization’s services. Generally speaking, these are always entities that were customers of the service being examined during the review date / period of the examination.

SOC 1 reports are restricted use reports, which means that the authorized users of the report are generally management of National Payment Corporation, user entities of the service during the time period of the examination, and the independent auditors of the user entities.

There are two types of SOC 1 reports that opine on management’s description of a service organization’s system and the suitability of the design of controls are referred to as “Type 1” reports. These examinations always have a review date. SOC 1 reports that opine on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls are referred to as “Type 2” reports. These examinations always have a review period.

Endorsements

ACH Leader

In business since 1991, NatPay remains a top leader in ACH & Document Distribution Solutions processing $145+ billion annually for 272,000+ ACH clients nationwide.

Insured & Audited

NatPay is insured through three major insurance carriers, and uses a third-party accounting firm to perform annual audits of its records.

Compliant

NatPay is  HIPAA compliant, and a SSAE 18 (SOC 1) Type 2 examined organization for both ACH and Document Distribution Solutions.