SSAE security logo eFileMyForms
AICPA logo eFileMyForms

SSAE SOC I Type II Information


  • SSAE – Statement on Standards for Attestation Engagements
  • SOC I – Service Organization Control Report No. 1
  • Type I – Audit of a system on a specified date
  • Type II – Audit of a system throughout a specified time period


SSAE SOC audits are an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

The SOC I Type II is a high-level security certification requiring a stringent audit process. eFileMyForms has passed this difficult audit without exception, ensuring that your data is secure when using any of our software or services. The SSAE SOC I Type II effectively replaces the SSAE 16 (formerly SAS 70) for reporting periods ending after May 1, 2017.

This standard applies to engagements undertaken by a Service Auditor for reporting on controls at organizations like eFileMyForms which provide services to their customers. The controls in place at service organizations are likely to be relevant to a customer’s internal control over financial reporting (ICFR).


The SSAE SOC I Type II requires certain enhancements in addition to the SSAE 16 report – such as the additional requirement of Risk Assessment evaluation, New Complementary User Entity Controls (CUESs) to ensure control to the product/service, and an extension to the audit process that includes further understanding of our service.

Additionally, the SOC I Type II audit requires a Written Assertion by management be provided to the Service Auditor. In this document, management must assert that the system description and control objectives included therein are a fair presentation for the time period specified in the SOC 1 report.

SOC 1 reports are performed and issued under the Statement on Standards for Attestation Engagements as explained above. The controls addressed in a SOC 1 report are those that a service organization like eFileMyForms implements to prevent, detect and correct errors or omissions in the information it provides to customers.

Type II indicates that the service organization’s system was suitably designed to achieve stated control objectives and to operate effectively throughout a specified time period. Type I refers to a system designed for implementation on a specific date, rather than throughout a specified time period.