Introduction to SSAE 18 and Service Organization Controls (SOC) Examinations

The American Institute of Certified Public Accountants (AICPA) released a new standard, effective for reports issued after May 1, 2017, that has impacted how accounting firms and service organizations have approached their SOC engagements.

Statement on Standards for Attestation Engagements (SSAE) No. 18 Attestation Standards: Clarification and Recodification does not provide wholesale changes to the SOC reporting process but rather was intended to clarify some of the requirements of SSAE 16 (and other SSAEs) and to bring further convergence with the standards of the International Auditing and Assurance Standards Board. SSAE No. 18 still allows service organizations to issue three different types of reports under the Service Organization Control (SOC) reporting framework. The type of report that the service organization chooses to complete will depend primarily on the service they provide to their customers and clients.

REPORT TYPES

SOC 1 EXAMINATIONS

SOC 1 Examinations are focused on service organizations that are reporting on controls relevant to internal control over financial reporting. SOC 1 examinations must be performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). This report is intended to be used by the auditor of a user entity’s financial statements about controls at the service organization when the controls may be relevant to a user entity’s internal control over financial reporting. A SOC 1 report provides an opinion on the design and operating effectiveness of the internal controls of the service organization. SOC 1 reports consist of the description of the service organization’s “system” as well as a written assertion from management of the service organization that fairly presents the service organization’s system as designed and implemented throughout the specified period; and that the controls related to the control objectives stated in the description of the “system” for the service organization were suitably designed to achieve the control objectives as of the specified period; and the auditor’s report and opinion. The types of service organizations that typically receive a SOC 1 include Payroll Processing, Loan Servicing, Insurance Claims Servicing, and Medical Claims Processors.

SOC 2 AND SOC 3 EXAMINATIONS

SOC 2 and SOC 3 reports are conducted in accordance with AT Section 101 and utilize the AIPCA audit guide “Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy.” SOC 2 and SOC 3 examinations are used for service organizations that are reporting on controls that are not deemed to be relevant to the user entity’s internal control over financial reporting; instead these reports are attestation examinations that require the service organization’s controls meet the specified Trust Service Principles as defined by the AICPA. The AICPA has defined five separate trust services principles: Security, Availability, Processing Integrity, Confidentiality, or Privacy. The AIPCA has also set forth specific trust services criteria within each principle that the service organization’s controls must address in order to satisfy the principle. Service Organizations receiving a SOC 2 or SOC 3 can determine the scope of their SOC report by determining the trust principles that apply to their environment based on the services provided to their customers. The only difference between a SOC 2 report and SOC 3 report is that SOC 2 reports are restricted use reports and SOC 3 are general use reports. SOC 3 Reports can be freely distributed by the service organization and the organization can post a SOC 3 seal on their website indicating the SOC 3 report has been completed. The types of service organizations that typically receive a SOC 2 or SOC 3 report include Data Center, Co-Locations, Network Monitoring services, Managed Hosting services, and Cloud Computing services.

DECIDING TO DO A SOC REPORT

McKonly & Asbury highly recommends a readiness assessment as the first step for service organizations that have not had a SOC examination performed over internal controls. The benefits of having a readiness assessment include:

• Issues in the current control structure are clearly communicated to the client prior to the commencement of the examination period and minimizing issues during the examination.
• Service organizations have sufficient time to remediate any issues in the controls or control structure.
• The scope of the examination, along with the control objectives and related control activities, are clarified based upon the results of the readiness assessment.

McKonly & Asbury has the experience and expertise to work with your organization to evaluate your preparedness for a SOC 1, SOC 2, or SOC 3 examination. Our goal is to work with you to evaluate your internal controls and reporting needs and then provide you with valuable recommendations to ensure your SOC examination goes smoothly. We currently provide SSAE 18 Service Organization Controls examination services to a variety of industries, including financial services, insurance processors, and information technology service providers. Our clients include Insurance companies, Third Party Providers, Datacenters, and Data and Software hosting companies.

Click here for more information concerning the SSAE 18 SOC 1, SOC 2, or SOC 3 examinations and readiness assessment services provided by McKonly & Asbury, or contact our team.