The SSAE 16 AICPA standard, put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) is a game-changer, to say the least. First and foremost, it effectively replaces the long-standing Statement on Auditing Standards No. 70 (SAS 70), which was issued in April, 1992. Yet SSAE 16 was then replaced by SSAE 18 for reports dated on or after May 1, 2018.
Say Hello to SOC 1 SSAE 18 Reports
Statement on Standards for Attestation Engagements (SSAE) No. 16 and No. 18 both represent a convergence, adoption and migration to that of more globally accepted accounting standards. As such, SSAE 16, SSAE 18 and its international equivalent, ISAE 3402, share a very common framework, both requiring service organizations to provide a description of their “system” along with a written assertion by management. These two requirements are noticeably different from that of the U.S. based SAS 70 standard, which only called for a description of “controls” and did not require a written assertion by management.
Regarding SSAE 16, the AICPA also issued a four (4) page pdf. document titled “FAQs -New Service Organization Standards and Implementation Guidance” in which it answered many of the pressing and “hot button” issues facing SSAE 16. Some of them are technical, but others speak to the overall intent and use of SSAE 16. For example,
A SOC 1 SSAE 18 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
SOC 1 SSAE 18 Type 2 Reports will Include the Following Content
- A description of the service organization's "system".
- A written assertion from management of the service organization that fairly presents the service organization’s system as designed and implemented throughout the specified period, and that the controls related to the control objectives stated in the description of the “system” for the service organization were suitably designed to achieve the control objectives as of the specified period.
- A service auditor’s assurance report.
Please keep in mind that the official SOC 1 SSAE 18 Type 2 Report, officially known as "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls", may be called any number of the following phrases:
- SOC 1 SSAE 18 Type 2 "Compliance" or "Compliant"
- SOC 1 SSAE 18 Type 2 Service Auditor's Report
- SOC 1 SSAE 18 Type 2 "Report" or "Reporting.
You many even here the phrases "SOC 1 SSAE 18 Certified" or "SOC 1 SSAE 18 Certification", which are incorrect, as the AICPA SSAE 18 standard is not a certification, nor does it result in a service organization being certified. The correct representation would be that your organization is compliant with the SOC 1 SSAE 18 attestation standard, and as such, your organization has been issued a SOC 1 SSAE 18 Type 1 or Type 2 report for evidentiary matter.
Service organizations that are new to the reporting requirements for SOC 1 SSAE 18 would highly benefit from a SOC 1 SSAE 18 Readiness Assessment; a proactive consultative engagement which greatly assists the overall process. Contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to receive a competitive, fixed fee for all your SOC 1 SSAE 18 and SOC 2 compliance needs.
A SOC 1 SSAE 18 Type 1 Report is officially a "Report on management's description of a service organization's system and the suitability of the design of controls".
SOC 1 SSAE 18 Type 1 Reports will Include the Following Content
- A description of the service organization's "system".
- A written assertion from management of the service organization that fairly presents the service organization’s system as designed and implemented as at the specified date, and that the controls related to the control objectives stated in the description of the “system” for the service organization were suitably designed to achieve the control objectives as of the specified date.
- A service auditor’s assurance report.
As with any new standard, expect a number of commonly used terms and phrases to be associated with SOC 1 SSAE 18 Type 1 reporting, such as the following:
- SOC 1 SSAE 18 Type 1 Service Auditor's Report
- SOC 1 SSAE 18 Type 1 "Compliance" or "Compliant"
- SOC 1 SSAE 18 Type 1 "Report" or "Reporting"
- SOC 1 SSAE 18 Type 1 "Certified" or SOC 1 SSAE 18 Type 1 "Certification"
Please note that the phrase "SOC 1 SSAE 18 Type 1 Certified" or "SOC 1 SSAE 18 Type 1 Certification" is technically incorrect, as a service organization is NOT becoming "certified" or achieving SOC 1 SSAE 18 Type 1 "certification". This incorrect terminology rose to prominence in recent years with the huge popularity of the SAS 70 auditing standard, ultimately resulting in organizations proclaiming themselves as SAS 70 "certified".
Service organizations that would greatly benefit from a SOC 1 SSAE 18 Type 1 report are those that have never gone through any type of audit for reporting on controls (such as SSAE 16, CICA 5970, or any other region/country specific standard) and who are seeking to ultimately obtain a SOC 1 SSAE 18 Type 2 report.
Why a SOC 1 SSAE 18 Readiness Assessment is Essential
Additionally, regardless if your organization is seeking a SOC 1 SSAE 18 Type 1 or Type 2 report, a SOC 1 SSAE 18 Type 1 Readiness Assessment would be highly beneficial for ensuring you understand the scope of the audit along with the fundamental changes between SSAE 16 and the prior SAS 70 auditing standard. A competent and highly qualified SOC 1 SSAE 18 auditing firm will be able to provide your organization with a SOC 1 SSAE 18 Type 1 Readiness Assessment. Contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to receive a competitive, fixed fee for all your SOC 1 SSAE 18 and SOC 2 compliance needs.
SOC 1 SSAE 18 reporting will require many service organizations to re-calibrate many aspects of their annual compliance initiatives and directives regarding the new attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, SSAE 18 requires a written assertion by management along with a description of its “system”. Additionally, service organizations will also benefit from having all facets of the new standard explained to them in greater detail, ultimately allowing for enhanced clarity and understanding of the overall scope, requirements and deliverables of the SSAE 18 standard.
In short, there’s much more to SSAE 18 for service organizations than just developing a description of its “system” along with a written assertion by management. As such, a SOC 1 SSAE 18 Readiness Assessment will help unearth fundamental topics such as the internal audit function, the concepts of “criteria” and “monitoring” along with other essential subject matter.
Topics to cover within a SOC 1 SSAE 18 Readiness Assessment would include, but are not limited, to the following:
- Gaining a comprehensive and in-depth understanding of the SSAE 18 standard and how it differs, but also relates to, other well-known country and region specific standards..
- Conducting a scope analysis for a SOC 1 SSAE 18 engagement, which would include the following:
- What relevancy, if any, does the prior SSAE 16 Type 1 or Type 2 report have in relation to the new SSAE 18 standard? For example, how much information from the previous SAS 70 description of “controls” can be used within the description of its “system” for SSAE 18 reporting?
- What control objectives and related controls are to be used that will form the basis for SOC 1 SSAE 18 reporting and do they effectively meet requirements set forth by user entities for reporting purposes?
- Have all subservice organizations been identified, and if so, will the “carve-out method” or the “inclusive method” be used regarding these entities?
- How many physical locations are to be included within the scope of a SOC 1 SSE 18 engagement for the service organization?
- What time period will be used for SOC 1 SSAE 18 reporting?
- Does the service organization have in place an “internal audit function”? If so, what are its roles and responsibilities, and may the service auditor rely on its work?
- Note: Expert guidance should be provided to the service organization for developing a comprehensive description of its “system” along with a written assertion by management for SOC 1 SSAE 18 reporting.
- Additionally, a well-qualified CPA firm specializing in SOC 1 SSAE 18 compliance will be able to provide the service organization with a series of SOC 1 SSAE 18 Readiness Assessment Questionnaires; a series of highly customized templates and questionnaires directly related to one’s business environment. These are essential in helping scope a SOC 1 SSAE 18 engagement along with identifying any gaps and weaknesses that will need to be remediated before the actual audit begins.
- Lastly, additional resources, such as procedures, and other essential documents may be provided to the service organization for helping prepare them for SOC 1 SSAE 18 compliance.
In summary, a SOC 1 SSAE 18 Readiness Assessment is a useful and proactive tool in helping any service organization meet their new reporting requirements in a seamless, efficient, and cost-effective manner. Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today to begin your SSAE 16 Readiness Assessment process.
SOC 1 (SSAE 16/SSAE 18) repoting has brought about a number of new requirements for service organizations; one in particular being that of providing a description of its "system". The term "system" and its description can carry a number of meanings and may very well be interpreted slightly differently among service organizations having to comply with SOC 1 (SSAE 16/SSAE 18).
With that said, the term "system" should be looked upon as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.
Important Elements for SOC 1 (SSAE 16/SSAE 18) Description of the "System"
Additionally, the description of the service organizations "system" should also identify the period the description relates to along with providing a listing of control objectives. Please keep in mind that according to SOC 1 (SSAE 16/SSAE 18) reporting, there is not an explicit or strict requirement regarding how the "system" is actually documented and to what extent. Thus, the format, depth, and scope of documenting the "system" will without question vary from one service organization to another.
Even so, service organizations should strive to incorporate a comprehensive discussion of the following components when documenting the description of its "system":
- The services being provided along with the classes of transactions processed.
- The procedures used, from beginning to end, both automated and manual, for the transactions (such as the flow of the transactions and all activities, from initiation to correction of errors, as necessary).
- How the system captures and also addresses significant events and conditions along with the processes and procedures used to prepare and report information as necessary to user entities.
- The control objectives, related controls and user control considerations.
- The service organizations elements of internal control, based on the COSO framework, which consist of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring.
While the AICPA SAS 70 auditing standard called for a description of "controls", SOC 1 (SSAE 16/SSAE 18) requires a description of its "system". This fundamental difference may force service organizations to revise and enhance their description of its "systems" from previous SAS 70 description of "controls", due in large part to the criteria that was used by management for previous reporting along with the criteria established for SOC 1 (SSAE 16/SSAE 18). Careful consultation with an experienced and qualified SOC 1 (SSAE 16/SSAE 18) auditor will help in assessing your reporting needs. Please contact us today by speaking with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SSAE 16 and to receive a competitive, fixed-fee quote today.
North America’s Leading Provider of SOC 1 (SSAE 16/SSAE 18) and SOC 2 Audits
NDNB provides a wide-range of regulatory compliance services, all at competitively priced fixed-fees. From SOC 1 (SSAE 16/SSAE 18), SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more, we’re one of the country’s leading providers of compliance audits. Whatever your needs are in terms of today’s demanding and challenging regulatory compliance needs, we’re here to help you every step of the way, from scoping & readiness assessments to the final audit itself
While SOC 1 (SSAE 16/SSAE 18) requires management of the service organization to provide a description of its "system" along with also producing a written assertion, there are also a number of other requirements and responsibilities to be undertaken for SOC 1 (SSAE 16/SSAE 18) reporting.
Though much has been written and discussed regarding the description of the "system" and the written assertion, it's important to also gain an understanding of the following key issues regarding SOC 1 (SSAE 16/SSAE 18):
- Monitoring of Controls" concept
- "The Identification of Risks"
- "Suitable Criteria" concept
Why? Because these concepts constitute a critical component of the actual service organization's description of its "system" along with the written assertion, both of which management must provide for SOC 1 (SSAE 16/SSAE 18) reporting.
Understanding the Importance of "Monitoring" of Controls for SOC 1 (SSAE 16/SSAE 18)
SOC 1 (SSAE 16/SSAE 18) reporting allows for management's monitoring activities to provide evidence regarding the design and operating effectiveness of controls; ultimately allowing the service organization to use the concept of "monitoring" as a key principle in support of the written assertion. In simpler terms, "monitoring" is a process for which the effectiveness of internal controls are assessed by activities that are generally built into the day-to-day operations of many service organizations, along with separate evaluations.
A service organization's monitoring activities for purposes of SOC 1 (SSAE 16/SSAE 18) reporting can include the following:
- Evaluations of daily operations
- Management and supervisory activities
- Internal audit functions
- System checks and balances | Manual checks and balances
- Communication with third party entities
- Additional safeguards, controls, processes, procedures, and oversight activities that assist in monitoring a service organization’s system.
Understanding "Identification of Risks" and "Suitable Criteria" Concepts
Regarding SOC 1 (SSAE 16/SSAE 18) "Identification of Risks" concept, management is essentially responsible for identifying risks that threaten the achievement of the stated control objectives that are found within the description of the "system". In simpler terms, what processes, both formal and informal, does management have in place for identifying risks? Is an annual risk assessment process undertaken every year by the service organization? Does your risk assessment process include a comprehensive analysis of your control environment and the related control objectives that are to be included within the description of the "system"? Do your control objectives adequately address all risks for which your organization seeks to mitigate?
And finally, the SOC 1 (SSAE 16/SSAE 18) "Suitable Criteria" concept is one that is grounded in the assumption that management of the service organization is responsible for selecting the criteria and its appropriateness. Furthermore, the "suitable criteria" concepts states that the subject matter is to be capable of being evaluated against "criteria" considered suitable for intended users. In simpler terms, the subject matter, which is known as management's description of its "system", is to be evaluated against certain criteria, which are elements that constitute the fairness of the presentation of the service organization's system. Additionally, the suitability of the design of controls (SOC 1 (SSAE 16/SSAE 18) Type 1) and the operating effectiveness of controls (SOC 1 (SSAE 16/SSAE 18) Type 2) must also be evaluated against suitable criteria.
The Importance of Management's Written Assertion for SOC 1 (SSAE 16/SSAE 18)
What's fundamentally important to note about these three concepts ("Monitoring of Controls", "The Identification of Risks", "Suitability Criteria") is they all play a critical role in helping management of the service organization in developing and providing their description of its "system" along with the written assertion for SSAE 16 reporting. Thus, be advised that management's written assertion will contain specific references to the "criteria" clause. Looking for a competitive, fixed-fee for all your SOC 1 (SSAE 16/SSAE 18), SOC 2, and 3 reporting needs? Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
The Emergence of SOC 2 Reports
Furthermore, while SOC 1 (SSAE 16/SSAE 18) is one of the most well-known and respected compliance frameworks in the world, SOC 2 assessments are actually outpacing and surpassing SOC 1 (SSAE 16/SSAE 18). This is due primarily to the large growth of technology, and how the SOC 2 standard was essentially developed for evaluating control environments for technology oriented companies. From data centers to cloud vendors, software developer, and more, SOC 2 is becoming the preferred third-party assessment, and rightfully so.
NDNB – North America’s Leading Providers of SOC 1 and SOC 2 Audits – Fixed Fees
When it comes to regulatory compliance, turn to the trusted experts today at NDNB. Visit ssae16.org today to learn more about SOC 1 and SOC 2 audits, along with numerous complimentary services offered by us. NDNB also offers SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, along with many other specialty services, so contact us today to learn more.
