Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

A SOC 1 SSAE 18 overview of all the important components of Statement on Standards for Attestation Engagements (SSAE) No. 18 can be found at here, at, provided by NDNB.  Many service organizations will be making the transition from SAS 70 to SSAE 16 (and now to SSAE 18 for reports dated on or after May 1, 2017), and as such, will need to gain a comprehensive understanding of this new “attest” standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).  

Goodbye SAS 70 and SSAE 16 - Hello to SSAE 18

Start your SOC 1 SSAE 18 overview by gaining a strong understanding of how the new standard evolved along with the similarities shared with its international equivalent, ISAE 3402.  Additionally, you will need to learn about important service organization reporting requirements, such as the description of the “system” along with management’s responsibility to provide a written assertion.

Many organizations simply think that the transition from SAS 70 to SSAE 16 (now SOC 1 SSAE 18) is administrative and procedural based, that is, significant changes are not really taking place. Though there is some truth to this assumption, there are still material changes from SAS 70 that you should be aware of, most notably, the two above mentioned requirements: the description of the “system” and the written assertion by management of the service organization, but also others.

SOC 1 SSAE 18 Description of the “System”

The SOC 1 SSAE 18 description of the “system”, for example, is widely regarded by many practitioners to be more expansive and comprehensive than the SAS 70 description of “controls”.  Thus, many service organizations will undoubtedly be spending significant time in developing a description of their “system” that truly meets the spirit of the standard. And as for the written assertion, a well-qualified CPA firm should be able to provide guidance and assistance in this matter, (along with helping you developed a description of a service organization’s “system”).

Your SOC 1 SSAE 18 overview should also include gaining a strong understanding of the following areas:

•    What role, if any, will the internal audit function (or personnel performing similar procedures) play within your organization?
•    How are the new reporting requirements different from that of SAS 70?
•    What are the reporting requirements (inclusive method and carve-out method) for subservice organizations?
•    How can you put in place a sustainable and workable roadmap for SOC 1 SSAE 18 compliance, which should start with a readiness assessment?
•    What do you need to know about the AICPA Service Organization Control (SOC) reporting framework is and its relationship to SSAE 18?

NDNB can provide your organization with a cost-effective “fixed fee” for all your compliance needs, including SOC 1 SSAE 18 engagements.
Thus, begin your SSAE 16 overview today and quickly get up to speed on the new attest standard for reporting on controls at service organizations.

To learn more about our services and pricing, please call Chris Nickell, CPA, at 1-800-277-5415, ext. 706.

Since 2006, NDNB has been setting the standard for security & compliance regulations