SOC Update: SSAE 18 Presents Several Changes for Service Organizations

The following blog post from SC&H Group’s Risk Management Services team discusses the AICPA’s recent issuance of SSAE 18 (which supersedes SSAE 16), providing service organizations with insight into key changes in SOC 1 reporting and requirements.

In today’s healthcare, IT, and professional services industries, embracing new technologies and vendors is no longer an option. It’s essential. But, with change comes new and varied risks to your organization and clients.

To reflect this reality and the shifting effects of service organization controls (SOC) on client financial statements, the AICPA’s Auditing Standards Board (ASB) has issued new attestation standards relative to SOC 1 reports. The Statements on Standards for Attestation Engagements (SSAE) No. 18 supersedes SSAE No. 16 and is effective for SOC reports issued on or after May 1, 2017.

SSAE 18 clarifies certain criteria for practitioners who perform SOC 1 engagements, and requires several changes that will affect the controls and operations of service organizations. Three of the most significant changes include:

  1. Service organizations must report on controls designed to monitor the onboarding and ongoing effectiveness of vendor-managed controls
  2. Through a formal risk assessment, practitioners must obtain a more comprehensive understanding of subject matter to better identify the risks of material misstatement
  3. Practitioners may report on subject matter beyond controls related to a client’s financial reporting  

1. Vendor Management: Ongoing Processes to Monitor Control Effectiveness
The biggest change for service organizations is in the monitoring of vendors used to perform services that the organization provides to clients. These are services that are likely to be relevant to clients’ internal control over financial reporting.

For example, suppose your organization uses a third-party data center to house client financial information. SSAE 18 now requires you to implement processes that monitor the effectiveness of controls at the third-party data center throughout the period in scope.

SSAE 18 highlights the following activities that could be implemented at the data center to achieve sufficient monitoring levels:

  • Holding periodic discussions with the data center
  • Making regular site visits to the data center
  • Testing controls at the data center by members of your organization’s internal audit function
  • Reviewing Type 1 or Type II reports on the data center’s system
  • Monitoring external communications, such as customer complaints relevant to the services by the data center

To ensure compliance with this SSAE 18 requirement, we recommend establishing a third-party vendor management policy or ensuring that an existing policy is documented and consistently followed for all in-scope vendors.

2. Risk Assessment: Better Identification of the Risks of Material Misstatement
In addition to vendor management, SSAE 18 requires practitioners performing a formal risk assessment to take more specific consideration of the risks of material misstatement, such as:

  • Management’s description of the service organization’s system is not fairly presented
  • Controls are not suitably designed to provide reasonable assurance that the stated control objectives would be achieved if controls operated effectively
  • Controls did not operate effectively throughout the specified period to achieve the stated control objectives

To effectively identify the risks of material misstatement, practitioners must develop a more in-depth understanding of the subject matter through the documentation of a formal risk assessment at least annually. Doing so will allow for a better determination of the nature, timing, and extent of procedures to be performed in response to assessed risks.

3. Other Subject Matter: Reporting on Additional Control Areas
SSAE 18 also expands the potential subject matter that a practitioner may address via a SOC 1 report.

Per SSAE 18, practitioners may now report on nearly any outsourced service where third-party validation would be beneficial. This includes almost any subject matter, as long as it is appropriate and the criteria used for evaluation are suitable and available. Also, the practitioner must expect to obtain the necessary evidence, and their opinion, conclusion, or findings must be included in a written report.

Examples of acceptable subject matter include:

  • An entity’s compliance with laws, regulations, contracts, or agreements
  • The effectiveness of an entity’s controls over the security of a system
  • The performance of agreed-upon procedures on additional financial or non-financial matters

With the issuance of SSAE 18, SOC 1 reports may become more suitable for organizations that need a SOC report, but not necessarily the depth of a SOC 2 report.

For instance, suppose your organization is the data center mentioned above. If you host an array of client data, including financial information, traditionally you may have required SOC 1 and SOC 2 reports. Under the new standard, a SOC 1 report may suffice.

However, due to the confusion that SSAE 18 may cause when determining what SOC report is best for your organization, we recommend consulting a trusted SOC practitioner for guidance.  

Additional, Notable Changes
While the above changes will likely result in the most significant effects on service organizations, SSAE 18 requires several other adjustments in SOC 1 reporting, such as:

  • Service organizations must provide a formal, signed assertion that the system description in the SOC 1 report is true and complete
  • Certain client controls and vendor (Complementary Service Organization) controls must be assumed in the design of the system description
  • Requirements are stricter regarding the completeness and accuracy of population data provided by service organizations for testing

SSAE 18 brings forth several necessary changes to SOC 1 reporting, though many will require adjustments on the parts of both service organizations and practitioners. Ultimately, by working with experienced SOC specialists, you can ensure that you are prepared for and knowledgeable of the effects of SSAE 18 on your organization.   

To learn more about SOC requirements and considerations—and discuss the effect of SSAE 18 on your organization—click here to contact SC&H Group’s Risk Management Services team. To dive deeper into examination prep, maximizing internal control value, and how a SOC report can help you gain a competitive edge, download our latest SOC eBook, A Comprehensive Guide to SOC Reports.