SOC 1 SSAE 18 compliance is a hot topic today indeed, within the regulatory compliance world, and for very good reason. Statement on Standards for Attestation Engagement (SSAE) no. 18, known simply as SSAE 18, has effectively replaced both the longstanding SAS 70 audit standard and the SSAE 17 standard for reports dated on or after May 1, 2017. In short, if you’re a service organization and have undergone SAS 70 Type 1 and/or Type 2 audits and/or SSAE 16 Type 1 and/or Typpe 2 in the past, it’s time you gain a comprehensive understanding of three (3) critical points pertaining to the new SOC compliance.
1.Learn about the new AICPA SOC framework. In an effort to address many of the reporting needs for today’s emerging service organizations, the American Institute of Certified Public Accountants (AICPA) developed a comprehensive platform known as Service Organization Control (SOC) reports. The SOC framework, which consists of SOC 1, SOC 2, & SOC 3 reports, provides service organizations with an effective means for illustrating and ultimately reporting on their underlying control environment when compared to that of the historical SAS 70 auditing standard, which unfortunately became a “one size fits all” auditing tool.
As such, the newly released AICPA SSAE 16 standard is the professional standard utilized for issuing SOC 1 reports, which provides formats for reporting as Type 1 or Type 2 reports. The myriad new “alphabet soup” for service organization reporting is a clear departure from the default SAS 70 auditing standard which had become ubiquitously applied overtime, but we all will eventually become very familiar the new reporting arrangement. For points of clarity, consider the following:
- SOC 1 Reporting results in the issuance of SSAE 18 Type 1 or Type 2 Reports.
- SOC 2 Reporting utilizes the AICPA AT Section 101 professional standard, resulting in Type 1 or Type 2 reports.
- SOC 3 Reporting utilizes the SysTrust/WebTrust assurance services, also known as the Trust Services, which are a broad-based set of principles and criteria put forth jointly by the AICPA & CICA.
Alternatively, SOC 2 and SOC 3 reporting organizations may be better served by alternatively performing a limited scope of relevant control specifications that are understood and identified by the user organization(s) and thus receiving an “Agreed Upon Procedures” (AUP) report that is performed in concert with the user organization and service organization’s auditor [AT 201].
2.Understand the Relationship between SOC 1 SSAE 18 and the ICFR Concept. A core component of any SOC 1 SSAE 18 assessment (either Type 1 or Type 2) should essentially include control objective(s) that relate to internal control over financial reporting, more commonly known as “ICFR.” Thus, as a service organization, you’ll may need to ask yourself this question: “What services and controls do we, as a service organization, have in place that affect the internal control over financial reporting (ICFR) for entities that utilize our services (i.e., user organizations)?”
If you have difficulty answering this question or cannot provide credible evidence that illustrates the ICFR concept within your core operational activities and supporting control environment for clients, you may need to opt for SOC 2 or SOC 3 reporting. Some User Organizations or their auditors may incorrectly be requesting SOC 1 compliance for service organizations that are not specifically responsible for ICFR functions to the user organization(s).
When considering the relevance of ICFR functions to the user organization(s), one may attempt to first determine if there are any financial data that are “provided by the service organization” that appear (or are used within) numbers or data that appear on the financial statements of the user organizations. Moreover, is the service organization providing services that affect: the (1) record-keeping (accounting entries or accounting function [sometimes estimates]) of a user organization; (2) the actual authorization of transactions (revenue recognition, or timing of expenses, or capital expenditures) that may appear in the accounting system; and (3) control over (custody of) the assets and/or liabilities that appear on the user’s balance sheet(s).
The SOC 1 SSAE 18 report and its underlying ICFR items are intended to be an auditor-to-auditor reporting of the ICFR functions “in place” (in existence – Type 1) and “effectiveness” thereof (Type 2) for evaluating audit risk, control risk, and/or detection risk as may be relevant for financial statement auditors of, or internal auditors at, the user organizations.
Note: The mere custody of the financial data by organization “A” for which another service organization “B,” with “B” being the responsible service organization, does not dictate the need for SOC 1 reporting at organization “A,” but more appropriately “A” may be SOC 2. “B” is the responsible party for the ICFR, while “A” is the SOC 2 facilitating entity.
Generally, candidates for SOC 1 SSAE 18 compliance include entities such as: (1) Third Party Administrators (TPA); (2) actuarial and trust services; (3) payroll processors; (4) firms that are registered investment advisors (RIA); and other service organizations that have established a clear link between the ICFR concept and the SOC 1 reporting framework.
Example: In a payroll processor (a service organization), there are calculations from data input by user that determine: accrued payroll; payroll expense; payroll taxes; withholding taxes; accrued or paid deferred compensation; accrued vacation deferral; qualified and non-qualified deferred plan accruals; and other financial estimates and calculations that clearly impact the financial statements of user organizations. This is clearly and definitively ICFR with controls administered by the service organization.
3.There are a number of critical differences between SAS 70 and SSAE 16/SSAE 18 that you need to be aware of. That’s right, the migration from SAS 70 to SSAE 16/SSAE 18 is not merely an academic exercise, but rather, it requires you to have a practical understanding and working knowledge of the following subject matter at a minimum for purposes of discussing with the auditor(s):
- The description of the service organization’s "system" and overall “system of controls.”
- The written assertion by management of controls in place and effectiveness thereof.
- The concept of “monitoring” as a determination of making the assertion.
- The identification of risk and what risk assessment procedures are in place.
- The SSAE 16 compliance reporting period relevant to user organization.
- The internal audit function (particularly over ICFR, where & when necessary)
- Subservice organization reporting, which include the “inclusive” and “carve-out methods.”
Services organization seeking to undergo SOC 1 SSAE 18 compliance or SOC 2 AT 101 compliance would highly benefit from a Readiness Assessment along with additional consultative services to better assess one’s reporting needs with the new AICPA SOC framework. To learn more and obtain a competitive, fixed-fee regarding SOC compliance, contact Mr. Christopher G. Nickell, CPA, via direct dial 1-800-277-5415, ext. 706 via email at This email address is being protected from spambots. You need JavaScript enabled to view it..
