1. The SSAE 18 standard has effectively replaced SSAE 16 for reports dated on or after May 1, 2017. As such, practitioners, service organizations and all other interested parties should begin to take note of the following six (6) essential points regarding the new SSAE 18 standard and the new AICPA Service Organization Control (SOC) reporting platform, which consists of SOC 1, SOC 2, and SOC 3 reporting options. The SSAE 18 standard represents not only the emergence of a new “attest” standard, but also an entirely new approach to reporting on controls, as witnessed by the AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports. This new SOC framework, which effectively replaces the SSAE 16 auditing standard, provides service organizations and practitioners alike with a broad-based reporting platform for reporting on controls. Specifically, SOC 1 reports, which utilize the SSAE 18 standard for reporting purposes, focuses on
SOC 1 SSAE 18 data center compliance seems to be a timely consideration due to the new AICPA Statement on Standards for Attestation Engagements (SSAE ) No. 16 replacing SAS 70, at least in part, with the advent of the new Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reporting. Many accountants, auditors, and data center industry participants alike have assumed that the switch from SAS 70 to SSAE 16 is merely academic in that their historical SAS 70 reports will simply be carried over to the new SSAE 16 standard, with minimal changes.
If this simple an incorrect approach is undertaken by some within the data center industry, then they will be hindering the actual deployment and the intended benefits of the new SOC framework reporting regimen. The overall SOC framework, which consists of SOC 1, SOC 2, and SOC 3 reporting options, functionally represents categories of compliance based on a service organization’s nexus to “internal controls over financial reporting” (ICFR).
And the new SOC reporting now includes SSAE 18, which has effectively replaced SSAE 16 for audit reports dated on or after May 1, 2017.
SAS 70, the longstanding auditing standard put forth in April of 1992 by the American Institute of Certified Public Accountants (AICPA), is effectively being replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, simply known as SSAE 16, which has now been replaced by SSAE 18. This is a significant event indeed for Third Party Administrators (TPA) and other entities in the health and benefits arena as a number of changes will need to be implemented for ensuring a successful transition from SAS 70 to SSAE 16 and now to SSAE 18
The AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2 and SOC 3 reports, represents a significant milestone in reporting on controls at service organizations, and one that many felt was long overdue. SAS 70, a well-known and globally recognized auditing standard that was put forth in 1992, became the only real essential mechanism used for third-party reporting on service organizations for many years. Sure, there were other country and region specific standards, but none of them equaled the status and notoriety of SAS 70. As such, the standard became widely used, but it also strayed heavily from its original intent as that of reporting on controls related to internal control over financial reporting.
Add to the fact that the dynamics of service organizations had drastically changed and a new international standard for reporting on controls was born, known as ISAE 3402, it became quite apparent that the AICPA had to make comprehensive changes to SAS 70. In short, enter the SOC reporting framework, along with SSAE 16 (and now SSAE 18) and AT Section 101, and exit the long-standing SAS 70 standard.
Goodybe SAS 70 and SSAE 16; Hello SSAE 18
To be fair, the AICPA was well-aware of the changing landscape of service organizations, such as the rise of cloud-based computing, the migration towards international accounting standards (such as ISAE 3402) and the overall need to revamp an antiquated and misused auditing standard (SAS 70). In fact, the AICPA and the International Federation of Accountants (IFAC) worked together in a collaborative fashion, as witnessed by the striking similarities these two new standards (SSAE 16, and now SSAE 18, and ISAE 3402) represent for reporting on controls at service organizations.
With that said, it's important to gain a comprehensive understanding of the AICPA Service Organization Control (SOC) reporting framework, what it is and what it means to you as a service organization. As stated earlier, there are three (3) reporting options under the new SOC framework; SOC 1, SOC 2 and SOC 3. Probably the single-most important aspect to understand is that the SOC framework represents the AICPA's keen understanding of the complexities that have evolved over the last two decades for service organizations and the need to provide auditors with tools to meet the growing compliance demands of these organizations. As such, the AICPA’s revamping of reporting on controls for service organizations from that of a single, antiquated standard (SAS 70) to a new comprehensive framework (SOC) will forever change the reporting requirements for service organizations.
SOC 1 SSAE 18 and SOC 2 Audits are Growing in Acceptance Worldwide
SOC 1 reports are to be utilized for service organizations reporting on controls relevant to internal control over financial reporting (ICFR). SOC 2 reports will be utilized for reporting on controls for the growing list of I.T. related organizations, such as cloud computing, Software as a Service (SaaS), managed services, along with data centers, just to name a few. SOC 3, similar in framework to that of SOC 2, will also likely be used for I.T. related service organizations, ultimately resulting in a general use report available to the public. Very quickly, it seems like phrases such as SOC 1, SOC 2, SOC 3, SSAE 18, and AT Section 101 can become quite confusing. Get the facts and speak to an expert. Call Chris Nickell, CPA, directly at 1-800-277-5415, ext. 706 or email Chris at This email address is being protected from spambots. You need JavaScript enabled to view it..
A SOC 1 SSAE 18 overview of all the important components of Statement on Standards for Attestation Engagements (SSAE) No. 18 can be found at here, at socreports.com, provided by NDNB. Many service organizations will be making the transition from SAS 70 to SSAE 16 (and now to SSAE 18 for reports dated on or after May 1, 2017), and as such, will need to gain a comprehensive understanding of this new “attest” standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).
Goodbye SAS 70 and SSAE 16 - Hello to SSAE 18
Start your SOC 1 SSAE 18 overview by gaining a strong understanding of how the new standard evolved along with the similarities shared with its international equivalent, ISAE 3402. Additionally, you will need to learn about important service organization reporting requirements, such as the description of the “system” along with management’s responsibility to provide a written assertion.
What is SSAE 16?
That's seems to be the chatter of late for many CPA firms, service organizations, and other interested parties. Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is the new "attest" standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). For reporting periods ending on or after June 15, 2011, SSAE 16 will become the new standard for reporting on controls at service organizations, essentially replacing Statement on Auditing Standards no. 70, simply known as SAS 70.
