Moving from SSAE 16 to SSAE 18 – Part 1March 24, 2017
Learn more about the major changes and new requirements for users relative to monitoring service organization controls inherent in SSAE 18 as its effective date of May 1, 2017 draws closer.
What is SSAE 18?
SSAE 18 (Statement on Standards for Attestation Engagements No. 18), issued by the Auditing and Standards Board (“ASB”) of the AICPA as part of its Clarity and Convergence project originated in 2004, consolidates all previous attestation standards for performing attestation engagements into one standard.
As part of this, SSAE 18 sets forth new/enhanced requirements for Service Organization Control (“SOC”) reports under “one roof” in section AT-C Section 320. Previously, SOC reports were issued under different guidance: SOC 1 reports under SSAE 16 and SOC 2/3 reports under AT 101.
Although SSAE 18 addresses other attestation engagements (such as Agreed upon Procedures), we will focus solely on the provisions relative to this new SOC reporting.
A Renewed Emphasis on Vendor Management
SSAE 18 accentuates the importance of having a strong vendor management program. The biggest change incorporated in SSAE 18 relates to the monitoring of subservice organizations. A subservice organization is an organization that is used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal controls over financial reporting.
SSAE 18 requires controls to be implemented by the service organization to monitor the effectiveness of controls at the subservice organization.
What does it mean for Service Organizations and Subservice Organizations?
The easiest way to understand this new requirement is with an example.
Company X is a Service Organization that provides business intelligence (including financial statement reporting) to its clients. Company X uses a SaaS cloud provider to host its software and its client’s data.
In the above scenario (which is very common), the SaaS cloud provider is a “subservice organization” to Company X. Under SSAE 18, Company X is required to monitor the activities of the subservice organization and provides various examples, including:
- Reviewing and reconciling output reports generated by the subservice organization.
- Holding periodic discussions with the subservice organization.
- Making regular site visits to the subservice organization.
- Testing controls at the subservice organization by members of the service organization’s internal audit function.
- Reviewing Type I or Type II reports on the subservice organization’s system.
- Monitoring external communications, such as customer complaints relevant to the services by the subservice organization.
For service organizations, this may require more detailed and corroborative evidence that supports their monitoring of the controls of their subservice organizations. In reality, this should already be occurring. If it does not already exist, a service organization should implement a comprehensive vendor management policy that addresses the SSAE 18 requirements.
For subservice organizations, this may require providing additional support, correspondence or other avenues for its clients to assess the quality of its controls.
What does it mean for Auditors of Users of Service Organizations?
Auditors of users of Service Organizations will need to understand the new requirements of SSAE 18 to ensure that their clients are reviewing the SOC reports generated by the Service Organizations and that the reports are complete.
Other SSAE 18 Changes
We will be discussing the other changes included in SSAE 18 in upcoming blogs. Although these changes are lesser in scope, they are important nonetheless and involve:
- Complementary Subservice Organization Controls
- Written Assertion Requirement by the Service Organization and;
- More specific requirements of the Service Auditor in its Risk Assessment procedures.
KLR performs numerous SOC 1 and SOC 2 examinations and readiness assessments and can work with you in understanding and implementing the new SSAE 18 requirements. Contact us for help in addressing these new requirements or if you have any questions on its content.