As for the SSAE 18 effective date, for opinion letters for audit reports dated on or after May 1, 2017, SSAE 18 is the reporting standard to be utilized in accordance with the AICPA Service Organization Control (SOC) reporting framework. And though “early adoption” was allowed, few service organizations actually achieved compliance with this newly formed attestation standard. In short, say goodbye (as of June 15, 2011) to the historical SAS 70 auditing standard, goodbye to SSAE 16 (as of May 1, 2017) and hello to not only SOC 1 SSAE 18 reporting, but also that of new provisions for SOC 2 and SOC 3 reporting – two great options for many of today’s technology oriented service organizations.
The transition from SSAE 16 to SSAE 18 has been relatively straightforward, as the following equirements and overall recommendations still hold true for SOC 1 SSAE 18 reporting:
Description of the System - Management of the service organization is required to develop a description of its "system", which, though similar to the historical SAS 70 auditing standard description of “controls”, is also seen as more comprehensive in nature
Written Statement of Assertion by Management - Management of the service organization must also effectively "assert" to a number of provisions and clauses regarding SOC 1 SSAE 18 Type 1 and Type 2 compliance.
SOC 2 and SOC 3 are Viable - Don't forget that for many of today's technology oriented service organizations, SOC 2 and SOC 3 (which incorporate the SysTrust and WebTrust Principles) are a great option when compared to SOC 1 SSAE 18 Type 1 and Type 2 reports.
Say hello again to AT 101 - This once, little-known AICPA professional standard is the authoritative guidance when conducting SOC 2 and SOC 3 reports, so get to know AT 101.
Subservice Organizations are a Critical Component of Reporting - Service organizations themselves actually have other "service organizations" providing material services to them, hence – be on the lookout for subservice organizations as they play an important role in SOC 1 SSAE 18 Type 1 and Type 2 reporting.
A competent, well-qualified IR CPA firm specializing in regulatory compliance should clearly be able to assist in all these matters regarding SOC 1 SSAE 18 reporting and the difference between SSAE 16 and SSAE 18. And don’t forget that the SSAE 18 effective date is for opinion letters for audit reports dated on or after May 1, 2017. So say goodbye to the SSAE 16 auditing standard, and hello to Statement on Standards for Attestation Engagements (SSAE) no 18.
Other notable information regarding the SSAE 18 effective date worth reviewing is the following: