The New Standard in Town (SSAE 18)
Effective for reports dated on or after May 1, 2017, the American Institute of Certified Public Accountants (AICPA) is issuing SSAE 18 to replace the current guidance for all attestation engagements, including those specific to SOC 1 and SOC 2 engagements1. With the ever changing landscape and growing need for assurance examinations the adoption of the new standard will allow readers to better understand and apply the standard more easily and consistently.
A recent BNN article focused on the users of SOC reports, including clients of companies that provide services over which SOC reports are provided. This article will focus on the service organizations – the companies that need to obtain SOC examinations.
How the new standard affects service organizations
Since the implementation of SOC 1 in 2011, the trend of service organizations outsourcing activities to third party subservice organizations has accelerated. Going forward, service organizations will need to determine the controls that any of these subservice organizations implement to enable the service organization to achieve its control objectives (Complementary Subservice Organization Controls, or CSOCs). In the past, service organizations were not expected to extend their understanding of third party controls to this level. In addition to determining the CSOCs, the service organization must formally compare the combined control activities between the subservice organization and itself to ensure there are no gaps in the control activities that would be relevant to their customers.
How can the service organization tell if the subservice organization is doing what they should?
Service organizations will need to document their monitoring controls over their subservice organizations. Monitoring activities can include:
- Reviewing and reconciling output reports
- Holding discussions and making regular visits to the subservice organization
- Reviewing relevant SOC reports from the subservice organization and even testing controls at the subservice organization
- Monitoring external communications regarding the subservice organization such as customer complaints
In addition to implementing monitoring activities over the controls at the subservice organization, the service organization will need to complete a comprehensive review of its subservice organizations to determine if any outsource their processes to another third-party. If a subservice organization does outsource to a third-party (considered a fourth-party by the service organization) and if the controls are considered relevant to the SOC 1 control objectives, the fourth-party should also be disclosed in the SOC report along with the relevant subservice organization.
How the new standard affects service auditors
The new standard imposes changes for service auditors as well. This includes a requirement to thoroughly and formally evaluate information provided by the service organization that is used for testing to ensure that it is sufficiently reliable, accurate, and complete. Items that fall under this evaluation might include:
- Population lists used to select a sample of items for testing
- Lists of data that have specific characteristics
- Exception reports generated by the service organization
- Transaction reconciliations
- User access lists
- System-generated reports
Accordingly, service organizations should be prepared to provide the evidence needed for the service auditors’ evaluations. This may include additional walkthroughs conducted with control owners, as well as additional observation of source documentation to ensure that evidence is reliable for the auditors’ procedures.
Separately, the service auditor will be required to complete a more detailed audit risk assessment prior to commencing an engagement. This risk assessment could include assessing the characteristics of the subject matter and the suitability of the criteria used by the service organization and other factors. While performing the risk assessment the service auditor will need to include inherent risk considerations such as the complexity of the subject matter or assertion, prior experience with the service organization, length of time the service organization has been completing the processes, and controls related to the subject matter or assertion. Note that while the service auditor is required to complete this risk assessment, it is the service organization that is tasked with determining the risks that threaten the achievement of the control objectives stated in management’s description in the case of a SOC 1 report, and the applicable trust services criteria2 in the case of a SOC 2 report.
How the new standard affects the presentation of SOC reports
SSAE 18 calls for changes to the actual presentation of the SOC reports (both SOC 1 and SOC 2). CSOCs will be listed in the description of the system and generically mentioned for consideration within the service organization’s Assertion over that system description. Any fourth-parties of the service organization will also need to be disclosed in the description and Assertion. Finally, monitoring activities performed by the service organization over the controls at the subservice organization will need to be included in management’s description. In addition to the items noted above, the service auditor will need to determine the appropriateness of including a description of the tests that were performed to validate the information that was provided by the service organization for testing.
In reality, most of these changes require formal documentation of efforts your service auditors have been making all along pursuant to SSAE 16. While the changes that will be required under the new SSAE 18 may seem significant when considered on the whole, the items can be easily achieved through proper planning and consideration, and the end result of a more clearly defined and tested system will provide better assurance to service organizations and their customers alike.
If you have any questions about this topic, contact Emily Antonico or your BNN advisor at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.
1 The current standard, Statement on Standards for Attestation Engagements (SSAE) No. 16, AT Section 801 (SOC 1), as well as AT Section 101 (SOC 2), is being replaced with SSAE No. 18, AT-C Section 105, AT-C Section 320 (SOC 1) and AT-C Section 205 (SOC 2).
2 The Trust Services Criteria, developed by the AICPA, are used to evaluate a description of a service organization’s system and the design and operating effectiveness of its controls relevant to the trust services principles.