Examination Type: Type 2
Review Date / Period: October 1, 2017 to March 31, 2018
Service Auditor: Schellman & Company, LLC
SOC 1 Background Information:
In 2017, SSAE 16 was superseded by SSAE 18 as part of the AICPA’s clarity project around attestation reporting. Reports should still be referred to as SOC 1 reports, as the underlying standards have always governed the service auditors, not the service organization.
The controls addressed in a SOC 1 examination are those that a service organization implements to prevent, or detect and correct, errors or omissions in the information it provides to user entities.
By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance, as well as financial reporting at those user entities. To provide the framework for CPAs to examine controls and to help management understand the related risks, the AICPA has established three System and Organization Control (SOC) for Service Organization reporting options. The three types of SOC for Service Organizations reports within the structure are as follows:
SOC 1: SOC for Service Organizations: Internal Control Over Financial Reporting
SOC 2: SOC for Service Organizations: Trust Services Criteria
SOC 3: SOC for Service Organizations: Trust Services Criteria for General Use Report
The term “SOC 1” may also refer to a report prepared in accordance with both SSAE 18 and ISAE 3402.
SOC 1 examinations may only be performed by a licensed CPA firm. The CPA firm that reports on controls at a service organization is often referred to as the service auditor.
National Payment Corporation is the “service organization” under review. A service organization is the organization or segment of an organization that provides services to user entities.
User entities are the entities that use a service organization’s services. Generally speaking, these are always entities that were customers of the service being examined during the review date / period of the examination.
SOC 1 reports are restricted use reports, which means that the authorized users of the report are generally management of National Payment Corporation, user entities of the service during the time period of the examination, and the independent auditors of the user entities.
There are two types of SOC 1 reports that opine on management’s description of a service organization’s system and the suitability of the design of controls are referred to as “Type 1” reports. These examinations always have a review date. SOC 1 reports that opine on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls are referred to as “Type 2” reports. These examinations always have a review period.