Assess the risk posed by the service organizations’ control environments and obtain sufficient assurance over the operating effectiveness of relevant and significant controls to determine the integrity of SVOG program transactions processed on behalf of and recorded by SBA. To achieve this, consider obtaining a SOC 1 report for the relevant control environments at the service organizations, and perform and document the following: • SOC 1 report is sufficiently scoped to cover transaction processing and related control activities performed by the service organizations on behalf of SBA. • All exceptions noted in the SOC 1 report – not just those described in the independent service auditor’s report – are evaluated to determine applicability to SBA’s internal controls over financial reporting, the potential impact to SBA’s financial statements, and mitigating controls considerations made during their risk assessment. • All complementary user entity controls described in the SOC 1 reports are evaluated using current information and with consideration to their applicability to SBA’s internal controls over financial reporting. • Evaluation procedures performed to assess whether complementary user entity controls and other SBA-performed controls were tested on a frequency determined by SBA and found operating effectively and, if they are not, assess the impact of such deficiencies on SBA’s internal controls over financial reporting. • All complementary subservice organization controls described in SOC 1 reports are evaluated to determine whether they provided services and performed controls considered relevant to SBA’s internal controls over financial reporting and, if relevant subservice organizations were identified, an evaluation is performed to obtain an understanding of the subservice organization(s) and their controls. • SOC 1 reports cover the appropriate period or corresponding gap letters provide sufficient coverage to assess impacts on SBA’s internal controls over financial reporting.