1.  Say Hello to SSAE 18: The SOC 1 SSAE 18 auditing standard has effectively replaced SSAE 16, which in turn replaced SAS 70 for reporting periods ending on or after June 15, 2011. With this being the case, all interested parties---service organizations in particular---should begin to familiarize themselves with the following six (6) essential points regarding the new AICPA (American Institute of Certified Public Accountants) SOC (System and Organization Controls) reporting platform, as well as SSAE 18, the standard under which these reports are issued.

SSAE 18 represents not only the emergence of not only a new “attest” standard, but also a new approach to reporting on controls, as witnessed by the SOC framework, which consists of SOC 1, SOC 2, and SOC 3 reports. This new framework, which has effectively replaced the outdated SSAE 16 and SAS 70 auditing standards, provides service organizations and practitioners alike with a considerably broader platform for reporting on controls.

Specifically, SOC 1 SSAE 18 reports focus on the concept of ICFR, or Internal Control over Financial Reporting. SOC 2 reports, on the other hand, have been designed to meet the growing demand for reporting on controls on technology-related entities, such as cloud computing vendors, Software as a Service (SaaS) entities and software development companies, to name a few. SOC 3 reports are similar to SOC 2, as both utilize the Trust Services Criteria (TSC) and can also be effectively used for reporting on controls on the large and ever-growing list of technology-oriented service organizations.

While SAS 70 was a one-size fits all auditing standard used for almost twenty years for reporting on controls at service organizations, the SOC framework thankfully now provides entities with true, viable options that are much more reflective of today’s ever-changing business environment. Many would agree the changes were long overdue; hence, the migration from SAS 70 to the new SOC framework has generally been well-received.

2. Say Hello to 3 Reporting Options: If you have undertaken SAS 70 compliance in the past, you would be wise to consider all reporting options under the new AICPA SOC framework, not just SOC 1, but also SOC 2 and SOC 3 reports. Most service organizations may feel compelled to simply migrate towards SOC 1 SSAE 16 (now SOC 1 SSAE 18) reporting, primarily due to the current obscurity of SOC 2 and SOC 3 reports. This obscurity may very well be short-lived as the new AICPA SOC framework becomes much more visible, transparent and better understood by all interested parties.

Remember, the SOC 1 SSAE 18 framework is intended for reporting on controls that have a clear and credible link to the ICFR concept. Meanwhile, SOC 2 and SOC 3 are viable options for today's growing list of technology-related service organizations, such as those described above.

3.  Description of One's System: The SSAE 18 standard requires service organizations to provide a description of their "system", which can be defined as “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities”. Whereas the historical SAS 70 auditing standard required a description of one's "controls", the description of the “system” is considerably more in-depth than its predecessor. Thus, this requirement calls for more than just cut-and-paste from a previous SAS 70 report.

4. Management's Assertion: One of SSAE 18’s requirements which is new to the reporting process is the written statement of assertion. This "assertion", which was never a requirement for SAS 70, is essentially a statement whereby management asserts to a number of essential clauses and statements regarding a number of areas related to the SSAE 18 assessment being performed.

5.  ICFR: The aforementioned concept of ICFR is a critical element of SOC 1 SSAE 18 reporting, in that service organizations must create and establish a credible link between ICFR and their control environment. In essence, organizations should be asking themselves: “What services and controls do we, as a service organization, have in place that affect the ICFR for entities that utilize our services?” If this question cannot be clearly answered, then service organizations should opt for a SOC 2 or SOC 3 reporting option, rather than that of the SOC 1 SSAE 18 standard.

6. Global Accounting Principles: SSAE 18 has a more global scope than SAS 70 ever dreamed of, as it represents a migration towards globally accepted accounting principles. This will be seen with greater clarity as the push to adopt International Financial Reporting (IFR) standards continues to move forward. Additionally, SSAE 18 has an international equivalent known as ISAE 3402 | The International Standard on Assurance Engagements, Assurance Reports on Controls at a Service Organization. ISAE 3402, set forth by the International Federation of Accountants (IFAC) in late 2010, closely mirrors the SSAE 16 standard, with the exception of a few technical differences.

Hence, the SSAE 18 and ISAE 3402 standards ultimately represent a collaborative effort and understanding of globally accepted accounting principles by both the AICPA and the IFAC.

To learn more about NDB's SSAE 18 reporting services and our competitive, fixed-fee pricing, contact Christopher G. Nickell, CPA. He can be contacted at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it.