New Audit Standards Strengthen SOC 1 Examinations

June 2016

In May of this year the AICPA released SSAE No. 18, a new Attestation Standard which will be effective for any attestation engagement opinion occurring on or after May 1, 2017 (early adoption is allowed). The new standard has a very broad focus, covering various aspects of audits, reviews, agreed-up procedures and other engagements. But as a Service Organization Controls (SOC) 1 practitioner, I noted several items of interest to me, and possibly for you, if you work for a user entity.

Complementary Subservice Organization Controls

From performing SOC 1 examinations, we know that the scope of services performed (or not performed) by subservice organizations means a great deal to our understanding of outsourced services, and that more and more, subservice organizations are outsourcing key functions to additional subservice organizations, creating dependencies that stretch beyond the initial scope of SSAE 18.

SSAE 18 establishes and defines a concept of complementary subservice organizations and their controls for which user entities must now assume in the design of the system description. Another hallmark of these complementary controls is that they are necessary to the achievement of control objectives in the report. This helps clarify an area of ambiguity in SOC 1 reports where often these additional controls were disclosed in various places to help the reader of the report. SSAE gives some more guidance around this area, and will hopefully lead to more standard, consistent reporting across entities and practitioners.

Data Validation

With SSAE 18, no longer is it sufficient to describe the “system-generated” reports within management’s description of the system; it is necessary to disclose and describe the nature of the report, be it a user access list, exception report, or a reconciliation. This has always represented a better practice, but now it is required.

Similarly, the documentary evidence obtained by auditors must be validated; specifically, it must be deemed “sufficiently reliable for the service auditor’s purposes by evaluating whether the information is sufficiently precise and detailed.” How was the report generated? By whom? Does it include a requisite level of detail with system time stamps or user access logs to validate its usefulness in testing controls?

Also, procedures are required to evaluate the integrity of the system described in the report. Have any changes occurred that must be disclosed in the description?

These new elements are not really new to those of us familiar with SOC 1 engagements, and if anything, they indicate that attestation standards are at least trying to keep up with changes we see in the field. The changes require a more intentional approach to our work, formalizing and documenting our assessment of subservice activities within the system description, and our assessment of audit evidence tested in the engagement.

If you have any questions, please call your BNN service provider at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.