1. The SSAE 18 standard has effectively replaced SSAE 16 for reports dated on or after May 1, 2017. As such, practitioners, service organizations and all other interested parties should begin to take note of the following six (6) essential points regarding the new SSAE 18 standard and the new AICPA Service Organization Control (SOC) reporting platform, which consists of SOC 1, SOC 2, and SOC 3 reporting options. The SSAE 18 standard represents not only the emergence of a new “attest” standard, but also an entirely new approach to reporting on controls, as witnessed by the AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports. This new SOC framework, which effectively replaces the SSAE 16 auditing standard, provides service organizations and practitioners alike with a broad-based reporting platform for reporting on controls. Specifically, SOC 1 reports, which utilize the SSAE 18 standard for reporting purposes, focuses on
the internal control over financial reporting (ICFR) concept. SOC 2 reports, however, have been designed to meet the growing demand for reporting on controls on technology related entities, such as cloud computing vendors, Software as a Service (SaaS) entities, managed service providers, and software development companies, just to name a select few. Lastly, similar to SOC 2 is SOC 3, which utilizes the Trust Services Principles and can also can be effectively used for reporting on controls on the large and ever-growing list of technology oriented service organizations.
From SAS 70 to SSAE 16 and Now SOC 1 SSAE 18
Where SAS 70 and SSAE 16 were somewhat of a one-size fits all auditing standard used for many years for reporting on controls at service organizations, the new SOC framework provides entities with true, viable options that are much more reflective of today’s ever-changing business environment. Many would agree the changes were long overdue; hence the migration from SAS 70 and SSAE 16 to SSAE 17 and the new SOC framework has generally been well-received.
2. If you’ve undertaken SSAE 16 compliance in the past, you’d be wise to consider all reporting options under the now enhanced AICPA SOC framework, not just SOC 1, but also SOC 2 and SOC 3 reports. Most service organizations may feel compelled to simply migrate towards SOC 1 SSAE 18 reporting, due in large part to the current obscurity of SOC 2 and SOC 3 reports along with other perceived marketability issues with these respective reports. This perceived notion may very well be short-lived once the new AICPA SOC framework gradually becomes much more visible, transparent and better understood by all interested parties. Remember, the SOC 1 SSAE 18 framework is to be utilized for reporting on controls that have a clear and credible link to the internal control over financial reporting (ICFR) concept. SOC 2 and SOC 3 thus should be the viable option for today's growing list of technology related service organizations, such as those described above.
3. The SSAE 18 standard requires service organizations to provide a description of their "system", which is essentially the following: the services provided, along with the supporting processes, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. Whereas the historical SAS 70 auditing standard required a description of one's "controls", a rather loose fitting term, the SSAE 16 standard's description of a "system" is generally regarded as more in-depth and comprehensive than the SAS 70 requirement. This alone will force service organization to spend considerable time and effort in developing a description of their "system".
4. Management of the service organization must now also provide the service auditor (i.e., the practitioner performing the SSAE 16 assessment) with a written statement of assertion. This "assertion", which was never a requirement for SAS 70, is essentially a statement whereby management is "asserting" to a number of essential clauses and statements regarding a number of areas related to the SSAE 16 (and now SSAE 18) assessment being performed.
5. The Internal Control Over Financial Reporting concept, which is widely known as ICFR, is a critical element of SOC 1 SSAE 18 reporting in that service organizations must create and establish a credible link with ICFR and their control environment that is being opined upon. In essence, they should ask themselves the following: What services and controls do we, as a service organization, have in place that affect the internal control over financial reporting (ICFR) for entities that utilize our services (i.e., user entities). If this question cannot be clearly answered, then service organizations should opt for a SOC 2 or SOC 3 reporting option, rather than that of the SOC 1 SSAE 18 standard.
6. The SSAE 18 standard also represents a migration towards globally accepted accounting principles, one that will be seen with even greater clarity as the push to adopt International Financial Reporting (IFR) standards continues to move forward. Additionally, SSAE 16 has an international equivalent known as the following: ISAE 3402 | The International Standard on Assurance Engagements, Assurance Reports on Controls at a Service Organization. ISAE 3402, put forth by the International Federation of Accountants (IFAC) in late 2010, closely mirrors the SSAE 16 (and now SSAE 18) standard, with the exception of a few technical differences. Hence, the SSAE 18 and ISAE 3402 standards ultimately represent a collaborative effort and understanding by both the American Institute of Certified Public Accountants (AICPA) and the International Federation of Accountants (IFAC) of the growing emergence of unified and globally accepted accounting principles.
Looking for a competitive, fixed fee for your SOC 1 SSAE 18 Type 1 or Type 2 report? Have questions about the new AICPA Service Organization Control (SOC) reporting platform? Contact us today at 1-800-277-5415, ext. 706 for an in-depth consultation.
