A New Standard Emerges
The terms SSAE 16 and SAS 70 have been used quite extensively in the auditing world as of late, and for good reason. Statement on Auditing Standards No. 70, known simply as SAS 70 to many, is nearing the end of its lifespan after approximately 19 years of service. Since its inception in April of 1992, the US auditing standard gradually grew to become the global de facto framework used for reporting on controls at service organizations. From Canada to the Far East and Argentina to Australia, SAS 70 and its local derivative, became a well-known, widely used, and universally accepted audit mechanism that provided assurance to a large and ever-growing pool of user entities.
But as all things come to pass, Statement on Standards for Attestation Engagements (SSAE ) No. 16, known as SSAE 16, has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Its purpose was to replace an aging SAS 70 standard that needed to be refreshed, but more importantly, one that would keep pace with the growing push towards more globally accepted international accounting standards. Thus, SSAE 16 was born in 2010, an “attest” standard that closely mirrors its international “assurance” equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).
Service Organization Control (SOC) Reports, effectively known as either SOC 1, SOC 2, and SOC 3 Reports, is a comprehensive framework put forth by the American Institute of Certified Public Accountants (AICPA) geared towards reporting on controls at service organizations. Unlike Statement on Auditing Standards No. 70 (SAS 70), which became a global "de facto" reporting standard used for almost any entity labeled or deemed a "service organization", the SOC framework is a specific set of reporting initiatives aimed at helping to clarify, distill, and bring about much needed transparency for reporting on controls at service organizations.
What You need to Know About SOC 1 & SOC 2 Reporting
Though there are a number of critical elements that helped shape and ultimately form the new SOC reporting framework, it's important to note that each of the three (3) SOC's are aimed at very specific needs and reporting requirements for service organizations themselves. We live in a complex and ever-changing business environment, one that has seen an exponential growth in outsourcing coupled with increasing demands for assurances from these very service organizations who are performing critical functions for other entities (i.e., user organizations, user entities). As such, the following SOC reports are aimed at reporting on controls for service organizations throughout a wide range of industries and business sectors:
NDNB also provides third party assurance reporting that may fall outside the scope of SSAE 16.
While the SOC 1 SSAE 18 reporting framework and standard is primarily geared towards reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting; there is also a need to report on controls outside that of financial reporting.
As such, the American Institute of Certified Public Accountants (AICPA) suggests that practitioners (i.e., service auditors) perform an Attest Engagement in accordance with AT Section 101. Additionally, the AICPA is also very aware of the dramatic changes that information technology is having on the business arena as a whole and will be publishing additional information and helpful guides for meeting these needs.
AICPA SOC 1 and SOC 2 Publications - Get them!
Specifically, the AICPA has been putting forth guides that help practitioners in reporting on controls for service organizations that are increasingly utilizing cloud computing services and other technology related platforms.
You can gain a greater awareness of the importance of AT Section 101 by fundamentally understanding the new AICPA SOC reporting framework, which consists of SOC 1, SOC 2 and SOC 3 reports. If your organization is seeking third-party assurance reporting that may potentially fall outside the scope of an SSAE 16 attestation engagement, please contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 to receive a competitive, fixed fee.
SOC 1 (SSAE 16/SSAE 18) reports requires management of the service organization to provide the service auditor (i.e., the practitioner performing the SOC 1 (SSAE 16/SSAE 18) engagement) with a written assertion. This "written assertion" forms one of the key differences with previous standards, such as that of the now historical SAS 70 auditing standard, which did not require this to be done.
What's fundamentally important to note about the written assertion is that management must affectively "assert" to a number of clauses, such as the following:
- That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented at either a specific date SOC 1 (SSAE 16/SSAE 18 Type 1 report) or implemented throughout a specified time period SOC 1 (SSAE 16/SSAE 18 Type 2 report).
- Additionally, management must "assert" that the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives at either a specific date (Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
- Management must also discuss the criteria used to effectively making these assertions, which again, are additional statements and supporting references regarding risk factors relating to controls and control objectives and (for a Type 2 report) that the controls were consistently applied.
What's also important to note about the written assertion by management is that it can either be included within the actual description of the service organization's "system" or simply attached to the description of the system itself. Since the written assertion comes from management of the service organization, it should essentially be on letterhead of the actual service organization. Similarly, the ISAE 3402 standard, which is the global standard used for reporting on service organizations, also gives reader two (2) excellent examples of management's assertion, which can be found in the final ISAE 3402 publication (issued December, 2009) on pages 36 and 37.
But, before you can move forward with writing a written assertion by management for SOC 1 (SSAE 16/SSAE 18) compliance, one need's to have a strong understanding of exactly what a description of a service organization's "system" is. And lastly, a qualified and well-skilled service auditor specializing in SOC 1 (SSAE 16/SSAE 18) compliance will be able to provide you with excellent guidance and example documentation regarding management's assertion along with a description of the service organization's system. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SOC 1 (SSAE 16/SSAE 18) and to receive a competitive, fixed-fee quote today.
NDNB – North America’s Leading Provider of SOC 1 (SSAE 16/SSAE 18) and SOC 2 Audits
An ISAE 3402 Type 2 report is known as the “Report on the description, design and operating effectiveness of controls at a service organization". As such, an ISAE 3402 Type 2 Report will contain the following:
- A description of the service organizations “system”.
- A written assertion from the service organization regarding the fair presentation of the system as designed and implemented throughout the specified period, and that the controls related to the control objectives stated in the description of the system were suitably designed throughout the specified period and operated effectively throughout the specified period.
- A service auditor’s assurance report
Please keep in mind that if your organization has previously achieved SAS 70 or SOC 1 SSAE 16 Type 1 or Type 2 compliance, the new ISAE 3402 standard will require a description of a service organization's "system" as opposed to the now defunct SAS 70 (and SSAE 16) standard, which called for a description of "controls". The differences may be subtle for some entities, however, it may also cause a large number of service organizations to spend considerable time and effort in developing one's description of its "system".
Thus, it is highly recommended that service organizations undertake an ISAE 3402 Readiness Assessment for properly understanding the changes brought about by the new global standard on assurance reporting. The two most commonly discussed differences from the previous SAS 70 auditing standard-(1). A service organization's description of its "system" and (2) the written assertion provided by management-are well-known, but there also a number of other critical issues that service organizations also need to be aware of concerning ISAE 3402.
To learn more about ISAE 3402 Type 2 reports, contact a well-qualified CPA firm to help assist your organization in achieving ISAE 3402 compliance. Contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to receive a competitive, fixed fee for all your SOC 1 SSAE 16 and SOC 2 compliance needs.
ISAE 3402, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is the globally accepted standard for assurance reporting on controls for service organizations.
NDNB also provides ISAE 3402 Type 1 reporting services for service organizations, which is known as the “Report on the description and design of controls at a service organization". And much like the SSAE 16 standard, an ISAE 3402 Type 1 report would included the following content:
- A description of the service organizations “system”.
- A written assertion from the service organization regarding the fair presentation of the system as designed and implemented as at the specified date, and that the controls related to the control objectives stated in the description of the system were suitably designed as at the specified date.
- A service auditor’s assurance report.
Thus, management of the service organization will need to pay careful attention to the new reporting requirements for ISAE 3402, particularly that of the description of its "system" along with the written assertion. If your organization has undertaken SAS 70 Type 1 or SAS 70 Type 2 compliance in the past, which called for a description of "controls", you will now need to ensure that you have a comprehensive understanding of what's needed for developing a description of one's "system" in accordance with the SSAE 18 standard.
Some service organizations may find subtle changes are only needed, while others may have to spend considerable time in developing their description of its "system". Because of these new reporting requirements, service organizations would highly benefit from an ISAE 3402 readiness assessment, performed by a competent, well-qualified CPA firm.