Say hello to Statement on Standards for Attestation Engagements (SSAE) no. 18 and goodbye to the historical SAS 70 and SSAE 16 auditing standards. For SOC reports dated on or after May 1, 2017, SSAE 18 now becomes the official standard for issuing SOC 1 Type 1 and SOC 1 Type 2 reports. And though there are similarities with SSAE 16, such as offering Type 1 and Type 2 reporting, the AICPA SSAE 18 standard is now part of a bigger, better, and much improved framework for reporting on controls at service organizations. It's called the Service Organization Control (SOC) framework, and you'll be hearing quite a bit about it.
The AICPA SOC Framework
Type 1 vs. Type 2
SOC 1 (SSAE 16/SSAE 18) Audit reports can be either Type 1 or Type 2, depending on the service organization's needs and requirements. For an ounce of clarity, just remember that a SOC 1 (SSAE 16/SSAE 18) Type 1 audit report is merely a "snapshot" in time, while a SOC 1 (SSAE 16/SSAE 18) Type 2 report covers what's commonly known as a "test period", which is generally seen as six (6) to twelve (12) months in length. For purposes of regulatory compliance – and for sufficing for increased client demands – SOC 1 (SSAE 16/SSAE 18) Type 2 reporting is ultimately what service organizations choose when reporting on their controls. Type 1 reports are a good stepping stone up to the Type 2 reporting process.
According to the now historical SSAE 16 publication (for which you can still reference to regarding important auditing subject matter, even though it has been superseded) put forth by the American Institute of Certified Public Accountants, a control objective is the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively mitigate". More simply stated, a control objective is an attribute that ensures a control or set of controls is operating effectively, and as designed. It's the basis of the entire SOC 1 (SSAE 16/SSAE 18) assessment process, and auditors and service organizations often work together in a collaborative manner in developing these control objectives. Technically speaking, however, the controls objectives and related controls are those of the service organization.
Subservice Organization Reporting
Subservice organizations have become a very important part of SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 audit reports, and for good reason. Learn more about what subservice organizations are, such as the "inclusive" and "carve-out" reporting requirements.
Service Organization Requirements
Management has two very clear requirements for SOC 1 (SSAE 16/SSAE 18) audit reporting (for both Type 1 and Type 2). Provide a written statement of assertion, along with a description of its "system". Both the written assertion by management and the description of its "system" are requirements under SOC 1 (SSAE 16/SSAE 18) when compared to the historical SAS 70 auditing standard.
SOC 1 (SSAE 16/SSAE 18) vs. SOC 2 Debate
NDNB – Providers of Fixed-Fee SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 Audits
As the nation’s leading provider of regulatory compliance services and solutions, NDNB offers competitively priced, fixed-fee SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 audits and assessments. Whatever the industry, size, or location of your organization is, we have scalable, efficient, and high-quality services to meet your needs.