IT Examiner School, Seaside, CA

Service Organization Control (SOC) Reports

Report Contents

Type I

Type II

(Information from SSAE 16.com)

Independent service auditor’s report (e.g. opinion)

Included

Included

Servicer organization’s description of system (including controls)

Included

Included

Information provided by the independent service auditor; includes a description of the service auditor’s tests of operating effectiveness and the results of those tests

Optional

Included

Other information provided by the service organization (e.g. glossary of terms)

Optional

Included

Statement on Standards for Attestation Engagements SSAE 18 • Statement on Standards for Attestation Engagements Number 18 (SSAE 18) – Replaced an earlier standard (SAS 70) and (SSAE 16)

• Authoritative guidance for service organizations as of May 2017

• International & US standard for reporting a service organization’s controls

• Financial entities should request an SSAE 18 from IT servicers as part of vendor management (in Management Module)