SOC 1 SSAE 18 reporting will require many service organizations to re-calibrate many aspects of their annual compliance initiatives and directives regarding the new attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).  Specifically, SSAE 18 requires a written assertion by management along with a description of its “system”.  Additionally, service organizations will also benefit from having all facets of the new standard explained to them in greater detail, ultimately allowing for enhanced clarity and understanding of the overall scope, requirements and deliverables of the SSAE 18 standard. 

In short, there’s much more to SSAE 18 for service organizations than just developing a description of its “system” along with a written assertion by management.   As such, a SOC 1 SSAE 18 Readiness Assessment will help unearth fundamental topics such as the internal audit function, the concepts of “criteria” and “monitoring” along with other essential subject matter.

Topics to cover within a SOC 1 SSAE 18 Readiness Assessment would include, but are not limited, to the following:

• Gaining a comprehensive and in-depth understanding of the SSAE 18 standard and how it differs, but also relates to, other well-known country and region specific standards..
• Conducting a scope analysis for a SOC 1 SSAE 18 engagement, which would include the following:

1. What relevancy, if any, does the prior SSAE 16 Type 1 or Type 2 report have in relation to the new  SSAE 18 standard?  For example, how much information from the previous SAS 70 description of “controls” can be used within the description of its “system” for SSAE 18 reporting?
2. What control objectives and related controls are to be used that will form the basis for SOC 1 SSAE 18 reporting and do they effectively meet requirements set forth by user entities for reporting purposes?
3. Have all subservice organizations been identified, and if so, will the “carve-out method” or the “inclusive method” be used regarding these entities?
4. How many physical locations are to be included within the scope of a SOC 1 SSE 18 engagement for the service organization?
5. What time period will be used for SOC 1 SSAE 18 reporting?

• Does the service organization have in place an “internal audit function”?  If so, what are its roles and responsibilities, and may the service auditor rely on its work?
• Note: Expert guidance should be provided to the service organization for developing a comprehensive description of its “system” along with a written assertion by management for SOC 1 SSAE 18 reporting.
• Additionally, a well-qualified CPA firm specializing in SOC 1 SSAE 18 compliance will be able to provide the service organization with a series of SOC 1 SSAE 18 Readiness Assessment Questionnaires; a series of highly customized templates and questionnaires directly related to one’s business environment.  These are essential in helping scope a SOC 1 SSAE 18 engagement along with identifying any gaps and weaknesses that will need to be remediated before the actual audit begins.
• Lastly, additional resources, such as procedures, and other essential documents may be provided to the service organization for helping prepare them for SOC 1 SSAE 18 compliance.

In summary, a SOC 1 SSAE 18 Readiness Assessment is a useful and proactive tool in helping any service organization meet their new reporting requirements in a seamless, efficient, and cost-effective manner.  Contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 today to begin your SSAE 16 Readiness Assessment process.