SAS 70, the longstanding auditing standard put forth in April of 1992 by the American Institute of Certified Public Accountants (AICPA), is effectively being replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, simply known as SSAE 16, which has now been replaced by SSAE 18. This is a significant event indeed for Third Party Administrators (TPA) and other entities in the health and benefits arena as a number of changes will need to be implemented for ensuring a successful transition from SAS 70 to SSAE 16 and now to SSAE 18
From SAS 70 to SSAE 16, and Now, SSAE 18
It’s important to understand the historical application and evolution of SAS 70 to SSAE 16 (and now SSAE 18), and particularly to the new AICPA Service Organization Control (SOC) reporting framework, for which SSAE 16 is a part, before you can begin to make the necessary changes towards the new standard. SAS 70 became an immensely popular and well-recognized auditing standard utilized throughout the globe for reporting on controls at service organizations, however, it had greatly strayed from its original scope and intent; that of internal controls related to financial reporting (as CPA’s we simply call this “ICFR”).
The eventual result was an auditing standard being used by the likes of data centers, software vendors, Software as a Service (SaaS) entities, and numerous other I.T. organizations for obtaining SAS 70 Type I and Type II compliance. However, these types of businesses had little, if any, actual direct relevance to reporting on controls related to ICFR, thus the AICPA took steps within the regimen of standards to completely overhaul the entire framework for reporting on controls at service organizations.
The AICPA SOC Platform and SSAE 18
This new regimen has come together in the AICPA Service Organization Control (SOC) reporting platform, which consists of SOC 1, SOC 2, and SOC 3 reports. In short; goodbye to SAS 70, and say hello to the new SOC platform and to SSAE 16 for reporting periods ending on or after June 15, 2011. Now, for opinion letters dated on or after May 1, 2017, SSAE 18 is the new standard, so goodbye to SSAE 16! SOC 1 reports, which should be of great interest to TPA’s, is rooted in the concept of internal controls related to financial reporting (ICFR), for which SSAE 16 is the professional standard used for issuing SOC 1 SSAE 18 reports. SOC 2 and SOC 3 reports are designed for all those “other” entities outside the direct scope of ICFR, such as those mentioned above (i.e., data centers, software vendors, etc.).
Without question, TPA’s are SOC 1 SSAE 18 candidates, not SOC 2 or SOC 3, due to their significant involvement with a wide range of activities for their clients that are particularly financial in nature. From processing and pricing of claims, to claims payment along with handling significant monetary issues such as stop-loss/reinsurance claims, just to name a few, a TPA is an organization that falls directly under the ICFR scope. So, maybe that’s the easy part, knowing you need to obtain a SOC 1 SSAE 18 Type 1 or Type 2 assessment, (much like a SAS 70 Type 1 or Type 2 audit) under the new AICPA SOC platform.
Essential SSAE 18 Information for TPA's
What’s more challenging to a TPA is gaining a comprehensive understanding of the must-know, “hot button” issues when transitioning from SSAE 16 to SOC 1 SSAE 18, such as the following:
1. The description of the Service Organization’s “system.” Look at the description of one's "system" as the services provided, along with the supporting processes, policies, procedures, personnel, and operational activities that constitute the service organization's core activities that are relevant to user entities. In short, TPA's are going to have to develop and ultimately provide a detailed and comprehensive narrative on their organization's core business platform and ICFR. Because of the flexibility and looseness of the SAS 70 auditing standard, many TPA's will find their current description deficient, thus work will have to be done to meet the stated intent and application of SOC 1 SSAE 18.
2. The Written Assertion by Management. Management of the TPA organization must now also provide a written statement, essentially "asserting" to a number of clauses and provisions for SOC 1 SSAE 18, such as the fair presentation of the description of the system, the suitably of the design of the control objectives at either a specific date (SOC 1 SSAE 18 Type 1 report) or designed throughout a specified time period (SOC 1 SSAE 18 Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period, particularly in reference to the applicable ICFR.
3. The concept of “Monitoring.” The organization must also have in place an effective "monitoring" program for assessing the effectiveness of one's internal controls. This is an important component for which organizations need to implement the necessary processes and procedures for ensuring this is taking place. Often, an organization may have on-going monitoring that simply needs to be documented more formally with an audit trail for inclusion as evidential matter for validation of the aforementioned written assertion.
4. The identification of “Risks.” With SOC 1 SSAE 18, a risk-based methodology should be implemented for addressing key risk areas in one's organization, thereby establishing protocols for which management is essentially responsible for identifying risks that threaten the achievement of the stated control objectives and if the controls sufficiently address the risks. To help undertake this process, it's helpful if management of the service organization initiates an annual risk assessment process for effectively identifying all risks, both internally and externally. Particularly with reference to relevant ICFR, control risk should be assessed on a recurring basis and monitoring re-evaluated for determining effectiveness of ICFR.
5. The SOC 1 SSAE 18 reporting period. With SAS 70, the functional date for controls in place was stated as "the report on controls placed in operation as of" for a specific closing date in time of the relevant test period. The SOC 1 SSAE 18 Type 2 requires auditors to provide information on the controls in place for the entire assessment period itself for a Type 2 report, not just on the "as of" date.
Here are the critical points to remember from this white paper:
1. SAS 70 being replaced with SSAE 16 (or in turn SOC 2, when ICFR not present).
2. SSAE 18 is part of the new AICPA Service Organization Control (SOC) reporting platform.
3. As a TPA, make sure to ask your CPA to issue you a SOC 1 SSAE 18 Type 1 or Type 2 report under the SOC 1 report framework.
4. SOC 1 SSAE 18 effectively supersedes SSAE 16 for opinion letters dated on or after May 1, 2017.
5. Management of the TPA will have to provide a written description of its "system" along with a written assertion by management of the relevant effectiveness.
In short, the changes from SAS 70 to SSAE 16 are not cosmetic or merely academic as some have been led to believe. Rather, constructive efforts will have to be undertaken by all TPA's for ensuring the successful migration from a historical auditing standard to a new attest standard. You can learn more about SOC 1 SSAE 18 and the new AICPA SOC framework by visiting socreports.com.