There are many SOC 1 SSAE 18 requirements that you need to be aware of regarding compliance with Statement on Standards for Attestation Engagements (SSAE) No. 16. The transition from SAS 70 to SSAE 16 - and now to SSAE 18 - is not merely academic as some would believe, rather, thoughtful consideration regarding a number of critical components is necessary for fully understanding this new attestation standard put forth by the AICPA. By gaining a greater understanding of the following SSAE 18 requirements, your organization can successfully transition from SAS 70 to the new Service Organization Reporting (SOC) framework.
1. Understand the evolution of the SSAE 18 standard.
Though not an actual SSAE 18 requirement, it would be highly beneficial to learn about the important dynamics, drivers, and influential issues that propelled the AICPA into SOC 1 SSAE 18, thus effectively replacing the longstanding SAS 70 and SSAE 16 auditing standards.
2. Learn about the new Service Organization Reporting (SOC) framework.
The American Institute of Certified Public Accountants (AICPA) has completely overhauled service organization reporting on controls, which, until recently, was largely limited to utilizing Statement on Auditing Standards No. 70, commonly known as SAS 70. The result of their arduous efforts are three (3) reporting options, SOC 1, SOC 2, and SOC 3.
What's interesting to note about the new Service Organization Control (SOC) framework is that it fundamentally addresses the growing dynamics and changing complexities of service organizations in todays business environment.
Specifically, the SOC 1 reporting framework, which results in the issuance of a SOC 1 SSAE 18 Type 1 or Type 2 report, is fundamentally geared towards service organizations that have a credible link or "nexus" to the internal control over financial reporting (ICFR) concept. Likewise, SOC 2 and SOC 3 reports are aimed primarily at the growing number of technology and cloud computing service organizations, such as Software as a Service (SaaS) providers, data centers, managed services entities, and other technology vendors.
3. Develop a Description of a System.
One of the most critical SOC 1 SSAE 18 requirements is the ability to develop an in-depth and comprehensive description of a "system", which can best be defined as the following: the services provided, along with the supporting processes, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. What's more, the new SOC 1 SSAE 18 audit guide, published by the AICPA, provides a detailed framework for what is considered an acceptable format and content for a "system" description. Thus, if you've undertaken SAS 70 compliance in the past, your previous description of "controls" will have to be greatly enhanced or changed altogether for ensuring a credible and valid SSAE 16 description of a "system'.
4. Provide a Written Statement of Assertion.
Of all the SOC 1 SSAE 18 requirements that must be met, the written statement of assertion is unique in that it requires management of the service organization to "assert" to a number of clauses regarding the description of the "system", control objectives, suitable criteria, along with other supporting references. Moreover, the written statement of assertion was never a requirement for the previous SAS 70 auditing standard, thus service organization would be wise to contact a IR CPA firm for assistance with this task.
5. Understand Subservice Organization Reporting Requirements.
The SSAE 18 requirements for subservice organizations is quite clear, requiring management of the service organization to (a) identify any relevant subservice organizations and (b) decide on the reporting option for them, which includes either the carve-out method or the inclusive method. As with the written statement of assertion, assistance by a IR CPA firm specializing in SSAE 18 compliance would be helpful.
6. Learn about the Internal Audit Function.
If your organization has an internal audit function in place and conducts routine daily operational activities, testing, and other assurance initiatives, these functions and their results may very well form a critical component of an SOC 1 SSAE 18 engagement. Ultimately, this could result in efficiencies of scale for the engagement itself, thus it's beneficial to determine the internal audit's role, if any, for SSAE 18 compliance.
7. Additional Responsibilities and Requirements.
Other responsibilities and SSAE 18 equirements for a service organization include understanding, interpreting, and implementing the following measures:
- Monitoring of Controls" concept
- "The Identification of Risks"
- Suitable Criteria" concept
Want to learn more about the SOC framework and SOC 1 SSAE 18 compliance? If you have questions or would like to receive a competitive, fixed-fee proposal, please contact Christopher
Nickell, CPA, at 1-800-277-5415, ext. 706.