What Companies Need to Know About Moving to SSAE No. 18
What has changed for Service Organization Controls (SOC) reports and attestation engagements in SSAE No. 18? The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has revised its attestation guidance in a new, clarified format. The changes aim to make the rules easier to understand and apply.
Out with the Old
The AICPA published Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification as part of the AICPA’s broad-ranging initiative to reformat much of its existing guidance. The standard is effective for reports dated on or after May 1, 2017.
In the clarified format, each section of the attestation guidance includes an objective, definitions of key terms, the section’s requirements for accountants, application guidance and explanatory material. For SOC reports, the recodification of attestation standards (SSAE No. 18) is largely a simplified version of the existing standards.
In with the New
Click below to jump to each of the significant changes in SSAE No. 18:
- Written assertions
- Complementary subservice organization controls
- Vendor management
- Reliability of evidence
- Representation letters
- Incorporation of auditing concepts
Written assertions – Under the new guidance, an accountant is required to request a written assertion from the responsible party — which is usually the company’s management — for all attestation engagements. The pre-existing standards stated that a practitioner should ordinarily obtain a written assertion from the responsible party in only an examination or review engagement.
Complementary subservice organization controls –The services performed by a company’s subservice organizations and whether the subservice organization’s controls have been included or carved out of the scope of the examination have always been part of the SOC 1 examination and resulting report. This change re-emphasizes the importance of describing this specific relationship and disclosing it in a fair manner. Fair presentation of subservice organizations includes a description of controls (complementary subservice organization controls) that the service organization assumed in the design of its controls.
Example – A service organization outsources data center operations to a colocation facility or its platform hosting services to a cloud services provider. The service organization assumes that the colocation provider or cloud services provider has implemented controls to address the physical and/or logical safeguarding of their operating environment. Those assumed safeguards and controls of the subservice organization are taken into consideration by the service organization in the design of its system in order to meet the control objectives stated in the organization’s system description. This change impacts the assertion letter to be included in the SOC reports.
Vendor management – The revised attestation standard formally includes monitoring of subservice organizations into the scope of a service organization’s SOC. Examples of monitoring activities include:
- Periodic discussion with the subservice organization personnel
- Regular site visits
- Testing controls at the subservice organization
- Monitoring external communications
- Reviewing SOC reports of the subservice organization’s system
Reliability of evidence – In the previous standards governing SOC reporting, evaluating the reliability of evidence produced by the service organization had not been described in such clear and definitive terms. Auditors of SOC reports are required to ensure that the evidence provided by the service organization is sufficiently accurate, complete and detailed for their audit purposes. For service organizations, this may require more detailed or corroborative artifacts supporting the evidence provided to auditors. SSAE No. 18 provides the following examples of information that a service auditor receives, which may likely require additional evaluation going forward:
- Population lists used for sample tests
- Exception reports
- Lists of data with specific characteristics
- System-generated reports
- Other system-generated data (e.g., configurations, parameters, etc.)
- Documentation that provides evidence of the operating effectiveness of controls, such as user access listing.
Representation letters – The new standard requires accountants to request written representations for all attestation engagements. Previous guidance for attestation engagements did not require a representation letter.
Incorporation of auditing concepts – The ASB generally equates an examination under the attestation standards with an audit under U.S. Generally Accepted Auditing Standards (GAAS). So, the new attestation standard adopts several requirements previously found only in GAAS. The most significant is a requirement to apply risk-assessment procedures in an attestation examination. The risk assessment includes an understanding of internal control over the subject matter, an assessment of risks of material misstatement of the subject matter, and better linkage between assessed risks and the examination procedures performed.
The new guidance for examination engagements also creates requirements similar to — but generally less detailed than — those in the auditing standards in the following areas:
- Tests of controls
- Analytical procedures
- Internal auditors