SOC 1 SSAE 18 audit requirements can best be explained in two distinct ways – first, providing a comprehensive overview of the actual SSAE 18 standard itself – then discussing the actual requirements that must be met for ensuring compliance with Statement on Standards for Attestation Engagements (SSAE) no. 18. With that said, let’s step back and learn about the evolution of SSAE 18, which begins with a discussion on the following subject matter:
Understand the Evolution of SSAE 16 and SSAE 18. The AICPA SSAE 18 attestation standard essentially replaced the aging and antiquated SSAE 16 and SAS 70 auditing that had been in use for approximately 25 years. From April of 1992, to March of 2017, SAS 70 and SSAE 18 were the dominant, global de facto compliance mandates for reporting on controls at service organizations. But twenty-five years with two standards – and one that never really went through any major revisions – is a long time indeed, thus the AICPA began planning for big changes, which ultimately led to the pronouncement of SSAE 18, which became an important component of the AICPA Service Organization Control (SOC) reporting framework.
Learn about the AICPA SOC framework. After years of faithful service, the SAS 70 auditing standard and SSAE 18 was effectively superseded by not only the SSAE 18 attestation standard, but a completely new framework for reporting on controls at service organizations. Known as Service Organization Control (SOC) reports, the SOC framework is a radical departure from the one-size-fits-all approach held by SAS 70 for approximately twenty (20) years. In short, with three reporting options – SOC 1, SOC 2, and SOC 3 – service organizations have more flexibility and more choices regarding third-party assessments of their control environments. While SOC 1 has quickly become the dominant reporting option, SOC 2 and SOC 3 are extremely viable, especially for many of today’s technology companies.
Choosing between SOC 1 SSAE 18 Type 1 or Type 2 Reporting. SOC 1 SSAE 18 reporting offers two options – Type 1 or Type 2 reporting for service organizations. The general trend is for any organization new to third-party reporting of their internal control environment, to begin with a SOC 1 SSAE 18 Type 1 report, followed up by subsequent SOC 1 SSAE 18 Type 2 reporting. Type 1 reporting is merely a “snapshot” in time – a specific day, while SOC 1 SSAE 18 Type 2 reporting covers what’s known as a “test period”, which is generally a minimum of six (6) months, but also can be that of eight, ten, or even twelve months. And because the “test period” provides much more insight and overall assurances of a service organization’s control environment, it’s seen as the much more credible reporting option.
Develop a Description of its “system”. One of the most important components of all the SSAE 18 audit requirements is for management to develop a description of its “system” – specifically - “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.” If you’re new to SOC 1 SSAE 18 compliance, then a competent and well-qualified PCAOB CPA firm can assist with this requirement. Writing a thoughtful and comprehensive description of one’s “system” can take considerable time – but remember –it’s an absolute requirement for SOC 1 SSAE 18 Type 1 and Type 2 reporting.
Go to Part II of the SOC 1 SSAE 18 Audit Requirements whitepaper.