J.H. Cohn specializes in conducting both Type I and Type II AICPA SOC 1 Examinations (formerly SAS 70 Examinations or SSAE 16 Examinations)
SOC 1 examinations are the end result of a rigorous examination of a service organization’s internal controls. Type I, “a point in time report,” focuses on a description of controls, the design of the controls, and whether or not they have been placed in operation as of a specified date while Type II includes the Type I objectives and detailed testing of the controls related to the objectives. Type II reports are more comprehensive and while required for public companies, are recommended for private businesses as well.
The AICPA’s Service Organization Controls standards (SOC 1) applies to organizations that provide services or use a service organization to process certain transactions. SOC 1 reports provide information on factors an independent auditor should consider when auditing the financial statements of entities that use service providers to process transactions.
J.H. Cohn’s dedicated IT Audit Department has completed many SAS 70 examinations for companies in a wide range of industries including educational services, bank trust departments, telecommunications, healthcare, insurance, and professional examination services. The team of professionals have both CPA and CISA credentials and devote 100 percent of their time to the following:
- SOC 1 (formerly SAS 70 and SSAE 16)
- SAS 94 (The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit)
- WebTrust privacy audits
- Internal control assessments
- Attestations
- Penetration tests/Ethical hacks
- Server hardening assessments
- Firewall assessments
- Other non-attestation IT control work related to financial audits
At J.H. Cohn, our clients not only value our deep technical expertise, but our focus on integrity, commitment to quality, and genuine concern for their businesses. When you seek our assistance with SOC 1, you’ll receive the resources of a larger firm and gain partner-/manager-level attention at the same time.
A Proactive Approach Strongly Recommended
On the surface, certain outsourced services may not appear to have an impact on financial statements, but SOC 1 has a broad reach. The reports are especially relevant for organizations that provide services in support of electronic commerce, such as web hosting, and other entities such as insurance companies, businesses that outsource information technology and other services, healthcare billing companies, trust departments, and mortgage providers.
An organization should assess whether it may be requested by its customer to provide a SOC 1. Accordingly, it may be a good idea to take a proactive approach to SAS 70 and have the examination conducted in advance of a request. Not only will it be readily available when you need it, organizations that have them conducted in advance have the opportunity to make improvements, if necessary, to internal controls.
Our Process
Based on our experience preparing many SAS 70 examinations, we have developed an approach that is customized for each client’s needs. J.H. Cohn begins a SAS 70/SOC 1 examination by gaining an understanding of the service organization’s high-level COSO components, general controls, and application controls. We do this by reviewing management’s description of controls, consulting with management, observing operations, and performing walkthroughs of representative transactions in a SOC1 Type I and Type II. The resulting SOC 1 report will include the service auditor’s opinion letter as well as the service organization’s description of controls and related control objectives. A SAS 70 Type II also includes a report on the service auditor’s tests of operating effectiveness.
The five phases of our process are:
- Phase I: Gaining an Understanding of Internal Control
- Phase II: Testing (for Type II)
- Phase III: Wrap-up
- Phase IV: Review
- Phase V: Reporting
Our experience indicates that certain organizations benefit from a readiness review, which includes the same phases of our process as described above with the exception of reporting. J.H. Cohn can also assist service organizations undergoing a first-time SOC 1 by conducting a readiness review, which helps an organization prepare for the SOC 1 examination.
We’re dedicated to understanding your business and assisting in your success. A detailed document providing the steps involved in J.H. Cohn’s SAS 70 examinations is available. For more information, click here.