top of page
SSAE SOC Audits: Auditee - Auditor - Assessor Training - In-Person

SSAE SOC Audits: Auditee - Auditor - Assessor Training - In-Person

Audits of "SOC" (System and Organization Control) have been in effect since May 1, 2017 through the implementation of AICPA Statement on Standards for Attestation Engagements (SSAE) 18.


This standard replaced SSAE 16, just as SSAE 16 replaced SAS 70, and SAS 70 replaced SAS 44. This SOC audit standard requires the users of SOC audit reports to adjust their compliance programs to fit the SSAE 18 SOC standard. SSAE 18 is more comprehensive than the prior SOC standards.


Learn the best practices for preparing, conducting and assessing SSAE 18 SOC audit reports from our highly experienced instructor who performs these activities.


This program examines the details of the SOC audit process.from planning to performing to documenting to reporting.


This valuable CPE event is designed to evaluate SSAE 18 SOC requirements from all three viewpoints:
- The Service Organization,
- The External Auditor,
- The Report User.


The materials provide a detailed understanding of an effective program for creating and assessing a system of internal control within an outsourced IT service organization under SSAE 18. It also provides the Report User with insight for interpreting the report and documenting the report review given their user requirements.


We provide guidance for Service Organizations on typical SOC controls and procedures. The event covers guidance for external auditors to allow them and document SOC workpapers and audit reports.


This program will help your organization develop, assess and maintain an effective SSAE 18 SOC program within a Vendor Management Program to comply with the Sarbanes-Oxley Act (SOX) Section 404, similar regulations (HIPAA, GLBA, etc.) and best practices (COBIT, NIST 800, ITIL, etc.).


Our attendees will learn a top-down, risk-based approach to SSAE 18 SOC compliance. The presentation includes:
- Assessing Organizational Objectives.SOC 1, SOC 2, SOC 3, and the SOC Types
- Selecting SOC 1 Control Objectives and Controls
- Selecting SOC 2 Trust Service Criteria (TSCs) and Controls
- Creating a Service Organization Risk Assessment
- Evaluating Client Requirements
- Determining Regulatory Implications
- Developing Service Delivery Proposals
- Creating, Communicating, and Auditing Policies and Procedures
- Managing Vendors and Subservice Organizations
- Maintaining Physical Access Controls
- Maintaining Logical Security Controls
- Maintaining Change Controls
- Maintaining Backup and Restoration Controls
- Evaluating Control Deficiencies
- Maintaining SSAE Standards Compliance


Each attendee will receive 24 CPE Hours (YB). A certificate of completion will be provided.

  • Details on Event Presentation

    The sessions will be as follows:

    Monday – 9:00 a.m. to 5:00 p.m.

    Tuesday - 9:00 a.m. to 5:00 p.m.

    Wednesday - 9:00 a.m. to 4:00 p.m.

    Offered in-person in various cites each month on Monday-Wednesdays in sessions.

  • CPE Event Highlights

    Fundamental changes have come to Service Organization Control (SOC) reports in the last ten years. In 2011, SAS 70 was superseded by the SSAE 16, and then in May 2017, SSAE 18 become effective.

    This move to Statement of Auditing Engagements (SSAE) 18 brings along with it significant updates which strengthen the overall quality of the SOC reports.

    You will learn about the SOC framework in this event. Known as Service Organization Control (SOC) reports, the SOC framework is a radical departure from the one-size-fits-all approach held by SAS 70 for approximately twenty (20) years.

    In short, with three reporting options - SOC 1, SOC 2, and SOC 3 - service organizations have more flexibility and more choices regarding third-party assessments of their control environments. While SOC 1 has quickly become the dominant reporting option, SOC 2 and SOC 3 are extremely viable, especially for many of today's technology companies.

  • Learning Objectives

    Attendees will understand:


    • Internal control and risk management frameworks
    • the AICPA standard for System and Organization Control audits (SSAE 18 SOC)
    • the various types of SOC audits and their applicability
    • the requirements to prepare for SOC engagements
    • how SOC 1, SOC 2, and SOC 3 audits are conducted
    • how to interpret the SOC reports
    • the identification and testing of internal controls in SOC reports
    • the responsibilities for user entities and testing of user controls
    • how to document the tests of controls
    • common SOC audit internal control deficiencies
    • how auditors form their SOC audit opinion
    • the new types of SOC reports
    • the role of SOC audits in Vendor Management Programs


  • Key Issues on the Agenda

    Section 1 - Introduction and Overview of SSAE 18
    Section 2 - Types of SSAE 18 Audits
    Section 3 - Components of the Audit Report
    Section 4 - Sample Reports
    Section 5 - SOX, COSO and SSAE 18
    Section 6 - The SSAE 18 Data Center Audit
    Section 7 - How to Conduct the SSAE 18 Audit
    Section 8 - Developing the System Description
    Section 9 - Summary of Concepts
    Section 10 - Testing of Controls
    Section 11 - IT Control Frameworks
    Section 12 - Testing the Physical Security Controls
    Section 13 - Testing the Logical Security Controls
    Section 14 - Testing the Changes Controls
    Section 15 - Testing Operations, Backup and Restoration Controls
    Section 16 - Testing the IPO and User Controls
    Section 17 - Evaluating the SSAE 18 Report
    Section 18 - Going Forward with Your Vendor Management Program

  • NASBA Program Disclosure

    Program Level of Understanding: Basic
    Prerequisites: None
    Advance Preparation: None
    Delivery Format: Group Internet Based
    NASBA Field(s) of Study: Auditing, Information Technology
    CPE Credits: 24 based on 50 minutes of instruction per hour

bottom of page