SSAE 18 and How it Impacts SOC Engagements

About this time last year, the American Institute of Certified Public Accountants (AICPA) released a new standard that will impact how accounting firms and service organizations will approach their SOC 1 engagements. Statement on Standards for Attestation Engagements (SSAE) No. 18 Attestation Standards: Clarification and Recodification does not provide wholesale changes to the SOC reporting process, but rather was intended to clarify some of the requirements of SSAE 16 (and other SSAE’s), and to bring further convergence with the standards of the International Auditing and Assurance Standards Board. Relative to SOC engagements, the revised standard provides enhanced requirements in a few key areas – most significantly in monitoring subservice organizations and in performing risk assessment procedures.

Monitoring of Subservice Organizations

The most significant change many Service Organizations will face in transitioning to a SOC 1 engagement under SSAE 18 revolves around how those Service Organizations monitor the Sub-Service Organizations they use in serving their customers. Under the new standard, a Service Organization must have designed and implemented controls to monitor their subservice organizations, and include these controls/processes in the description of their system.

A common example of a Service Organization/Sub-Service Organization relationship is a data center contracted by a Service Organization to outsource some or all of its information technology infrastructure. Many Service Organizations have elected to present the data center using the ‘Carve Out Method’, and excluded the controls of the data center (the Sub-Service Organization) from its narrative and from its SOC 1 report. While carving out the data center might still seem reasonable, now the Service Organization must consider the controls at the data center and ensure that it properly monitors those controls. There are a variety of mechanisms the Service Organization might use to do so, including site visits to the sub-service organization, but the most common monitoring activities will include obtaining, reviewing, and assessing the sub-service organizations type 2 SOC 1 or SOC 2 report. This review should include reading the Service Auditors report, evaluating the results of the Service Auditors testing, and understanding and ensuring compliance with the complementary user-entity controls that the sub-service organization indicates should be in place.

While the impact of SSAE is not significant in how the Service Organization uses it’s Sub-Service Organizations, it is critical that the Service Organization design and document controls that will ensure compliance with the requirements of SSAE 18.

Risk Assessment

The other more substantial change for consideration is the requirements in SSAE 18 for a more robust and detailed risk assessment of the service organization. While more frequently being done by Service Organizations that require SOC 2 and SOC 3 engagements to comply with the AICPA’s Trust Services Criteria, detailed risk assessments must now be done by Service Organizations requiring SOC 1 engagements as well. The risk assessment process for SOC 1 will require the service organization’s management to clearly develop a process for identifying and evaluating the risks that threaten the achievement of the control objectives. In addition, the service organization will need to clearly outline in the risk assessment the linkage of the controls identified in the management’s description of the service organization’s system with those risks, including risks arising from each of the described classes of transactions and risks that information technology poses to the user entity’s internal control over financial reporting. The Service Auditor will be required to obtain this risk assessment, and ensure that it properly identifies and assesses the risks facing the Service Organization.

Other Considerations and Effective Date

SSAE 18 covers a variety of attestation engagements, not just SOC engagements, so it is important that organizations that require other types of examinations contact their accounting and audit firm to understand the impact of these changes. The new standard is effective for all opinions dated after May 1, 2017.

If you have any questions on the implication of SSAE 18 on your SOC 1 report, please contact our team.