Interested in training for your team? Click here to learn more

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Recording of a 110-minute CPE webinar with Q&A

This program is included with the Strafford CPE Pass. Click for more information.
This program is included with the Strafford CPE+ Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, August 9, 2016

Recorded event now available

or call 1-800-926-7926

This course will provide audit and attest professionals with a practical and comprehensive guide to issuing and interpreting SSAE 16 (SOC 1) audit reports of outside service companies. The panel will discuss the specific features and functions of an SOC 1 report, focusing on the peculiarities of preparing an internal controls report for a service provider and will provide useful details on the the attestation standards for external service organizations.


The attestation of service providers’ internal controls is an integral part of audits of companies utilizing cloud service providers. As companies increasingly rely on third-party providers operating “in the cloud,” third-party cloud storage providers must have sufficient controls in place with regard to a company’s financial operations and financial audits

There are three types of SOC reports that can be issued in the aftermath of the SSAE 16 standards, and audit professionals must understand and communicate the scope of each type of report. SOC 1 reports examine and attest to those controls of service organizations that can directly affect the financial statements of the utilizing company. The SOC 1 report is an auditor-to-auditor communication, used to provide user auditors with detailed information about controls at a service organization that impact information provided to user entities.

There are two types of SOC 1 reports. A Type 1 examination looks at controls the service organization has in place on a fixed date. Most companies engaging service organizations will insist on a Type 2 report, which assesses the effectiveness of the service organization’s controls over a period in time, known as the “test period.” Audit professionals need to be able to design relevant testing protocols over an appropriate test period to effectively conduct Type 2 assessments.

Listen as our experienced panel provides a comprehensive and practical guide to conducting SOC 1 attest engagements, detailing best practices for designing test samples and proper reporting standards.



  1. Uses and framework for SOC 1 reports
  2. IT considerations for audit and attest professionals in preparing SOC 1 reports
  3. Testing and sampling criteria and considerations
  4. SOC 1 Type 2 report special considerations
    1. Internal audit function
    2. Monitoring
    3. Subservice organization reporting
  5. Additional reporting options under SSAE 16


The panel will discuss these and other important issues:

  • Differentiating SOC 1 reports from SOC 2 and SOC 3 engagements
  • How SOC 1 reports under SSAE 16 differ from previous SAS 70 standards
  • Incorporating subservice organization assessments into SOC 1 reports
  • What other issues must auditors address in issuing SOC 1 Type 2 attestation reports?


Mitchell Evans
Mitchell Evans
Director, Risk Consulting
Barr Assurance & Advisory

Mr. Evans is experienced in the IT Audit and Security world. Prior to joining his firm, he worked at KPMG's IT...  |  Read More

Brad Thies
Brad Thies
Principal, Risk Consulting
Barr Assurance & Advisory

Mr. Thies specializes in helping clients assess, design, and implement processes and controls to meet customer,...  |  Read More

Greg Ameden, CISA
Greg Ameden, CISA

Director of IT Assurance Services
Hancock Askew & Co.

Mr. Ameden is his firm's Director of IT Assurance and Advisory Services for Hancock Askew and leads the...  |  Read More

Access Anytime, Anywhere

CPE credit is not available on downloads.