As for the SSAE 18 effective date, for opinion letters for audit reports dated on or after May 1, 2017, SSAE 18 is the reporting standard to be utilized in accordance with the AICPA Service Organization Control (SOC) reporting framework. And though “early adoption” was allowed, few service organizations actually achieved compliance with this newly formed attestation standard. In short, say goodbye (as of June 15, 2011) to the historical SAS 70 auditing standard, goodbye to SSAE 16 (as of May 1, 2017) and hello to not only SOC 1 SSAE 18 reporting, but also that of new provisions for SOC 2 and SOC 3 reporting – two great options for many of today’s technology oriented service organizations.
The transition from SSAE 16 to SSAE 18 has been relatively straightforward, as the following equirements and overall recommendations still hold true for SOC 1 SSAE 18 reporting:
Description of the System - Management of the service organization is required to develop a description of its "system", which, though similar to the historical SAS 70 auditing standard description of “controls”, is also seen as more comprehensive in nature
Written Statement of Assertion by Management - Management of the service organization must also effectively "assert" to a number of provisions and clauses regarding SOC 1 SSAE 18 Type 1 and Type 2 compliance.
SOC 2 and SOC 3 are Viable - Don't forget that for many of today's technology oriented service organizations, SOC 2 and SOC 3 (which incorporate the SysTrust and WebTrust Principles) are a great option when compared to SOC 1 SSAE 18 Type 1 and Type 2 reports.
Say hello again to AT 101 - This once, little-known AICPA professional standard is the authoritative guidance when conducting SOC 2 and SOC 3 reports, so get to know AT 101.
Subservice Organizations are a Critical Component of Reporting - Service organizations themselves actually have other "service organizations" providing material services to them, hence – be on the lookout for subservice organizations as they play an important role in SOC 1 SSAE 18 Type 1 and Type 2 reporting.
A competent, well-qualified IR CPA firm specializing in regulatory compliance should clearly be able to assist in all these matters regarding SOC 1 SSAE 18 reporting and the difference between SSAE 16 and SSAE 18. And don’t forget that the SSAE 18 effective date is for opinion letters for audit reports dated on or after May 1, 2017. So say goodbye to the SSAE 16 auditing standard, and hello to Statement on Standards for Attestation Engagements (SSAE) no 18.
Other notable information regarding the SSAE 18 effective date worth reviewing is the following:
SOC 1 SSAE 18 Type 1 vs. Type 2 is a common subject area researched by service organizations, as they're searching for credible information relating to the similarities and differences between SOC 1 SSAE 18 Type 1 and Type 2 reporting. And while most service organizations eventually undertake SOC 1 SSAE 18 Type 2 compliance, a SOC 1 SSAE 18 Type 1 assessment is often looked upon as a great starting point for entities new to the world of reporting on controls at service organizations.
SOC 1 SSAE 18 Type 1
Specifically, a SOC 1 SSAE 18 Type 1 assessment is for a specific point in time (i.e., August 27, 20xx), while a SOC 1 SSAE 18 Type 2 report covers a period in time, which is known as the "test period". This test period is generally seen as six (6) months in length, but can also be any number of months necessary for testing of controls. Because of this, many SOC 1 SSAE 18 Type 2 assessments are 6, 8, 10, or even 12 months long.
SOC 1 SSAE 18 Type 2
Thus, for SOC 1 SSAE 18 Type 2, reporting is done on the “suitability of the design and operating effectiveness of controls” for a given period, whereas for SOC 1 SSAE 18 Type 1, there is no testing on the “operating effectiveness of controls”. For an ounce of clarity, just remember that SOC 1 SSAE 18 Type 2 reporting covers a period (generally 6 months, or more), while SOC 1 SSAE 18 Type 1 is merely a snapshot in time – that is – reporting on for a specific date. And also remember that SOC 1 SSAE 18 Type 1 reporting is seen merely as a starting point for service organizations, with the ultimate goal of undertaking SOC 1 SSAE 18 Type 2 reporting procedures.
Understanding the Difference with SOC 1 SSAE 18 Type 1 and Type 2 Audits
But there are similarities also when it comes to SOC 1 SSAE 18 Type 1 vs. Type 2 reporting. Specifically, both the description of the service organization’s “system”, along with a written statement of assertion are required by management for Type 1 and Type 2 reporting. The description of the "system" is essentially the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
As for the written statement of assertion by management, it's simply a document whereby management of the actual service organization must assert to a number of clauses and provisions relating to the actual SOC 1 SSAE 18 assessment being conducted, either a Type 1 or a Type 2.
Important Points to Know Regarding SOC 1 SSAE 18 Type 1 vs. Type 2
As can clearly be seen, there are differences, but also similarities - but again - it's important to remember the following points regarding SOC 1 SSAE 18 Type 1 vs. Type 2 reporting:
1. SOC 1 SSAE 18 Type 1 reporting is for a snapshot or point in time.
2. SOC 1 SSAE 18 Type 2 covers a "period" for reporting, generally a six (6) month test period, or more.
3. Type 1 reporting is merely just a stepping stone for what's ultimately required by service organizations - Type 2 reporting.
4. Both SOC 1 SSAE 18 Type 1 and Type 2 reporting require the written statement of assertion, along with a description of one’s “system”.
5. Subservice organizations can play an important role in both Type 1 and Type 2 reporting.
Call Christopher G. Nickell, CPA, to receive to learn more about SOC 1 SSAE 18 Type 1 and Type 2 reporting, and to receive a competitive, fixed-fee proposal. He can be reached at 1-800-277-5415, ext. 706.
There are a number of SOC 1 requirements for surh reports that service organizations should be aware of. The SSAE 18 standard, which effectively replaced the SSAE 16 auditing standard for opinion letters dated on or after May 1, 2017, has quickly become the global de facto reporting option for service organizations, thus it's important to take note of the following SOC 1 requirements, along with general notes and comments that will help all interested parties learn more about SOC 1 reporting:
1. Description of the "system": Management of the service organization is ultimately responsible for providing what's technically known as the description of its "system" - which is the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
SAS 70 had a similar requirement called a description of "controls", but the SSAE 16 description - and now, the SSAE 18 description - of one's "system" is looked upon as a more detailed and comprehensive requirement than that of SAS 70's description of controls. And though there are not hard and fast rules on how to document one's system, and to what extent, service organizations should really try to include as much relevant information as possible.
2. Written statement of assertion by management: Additionally, management of the service organization must also provide the service auditor with a written statement of assertion - that is - a document that effectively asserts to a number of important provisions and clauses relating to the engagement itself. This "assertion" was never a requirement for the previous SAS 70 auditing standard, but now forms an important component of service organization reporting for SSAE 16, and now, SSAE 18. A competent and well-qualified IR CPA firm can assist service organizations in drafting this "assertion", as it essentially has been pre-written by the American Institute of Certified Public Accountants (AICPA) within a number of their Service Organization Control (SOC) publications.
3. SSAE 18 Standard: This is the AICPA attestation standard that fundamentally reshaped the entire third-party reporting platform for service organizations. Specifically, SSAE 18 superseded and effectively replaced the SSAE 16 auditing standard for opinion letters dated on or after May 1, 2017. Furthermore, SSAE 18 has become the professional standard for which the SOC 1 framework is based upon, allowing service organizations to undergo SOC 1 SSAE 18 Type 1 and SOC 1 SSAE 18 Type 2 reporting.
4. AICPA Service Organization Control (SOC) Reporting Platform. There’s been quite a bit of talk about the AICPA “SOC” platform, so what’s important to note are the three (3) reporting options, SOC 1, SOC 2, and SOC 3. While SOC 1 was designed for service organizations who have a true nexus with the ICFR concept (Internal Control over Financial Reporting), SOC 2 and SOC 3 are aimed at many of today’s technology oriented service organizations, such as data centers, cloud computing vendors, managed service providers, and others. And while the adoption of SOC 2 and SOC 3 has been a little slower than anticipated, awareness for these reporting options is gaining ground. SOC 1, however, continues to be the dominating force for reporting on controls at service organizations.
5. SOC 1 vs. SOC 2. Though SOC 1 is considered the more well-known and often used reporting platform for today’s service organizations, SOC 2 demands equal merit and attention, and for a number of credible reasons. First, it’s a great reporting option for service organizations that don’t have a true relationship or “nexus” with the ICFR concept – Internal Control over Financial Reporting. Second, for many of today’s technology oriented service organizations, SOC 2, and the five (5) accompanying Trust Services Principles (TSP), are an excellent platform for reporting on controls related to (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality, and (5). Privacy. And don’t forget that SOC 3, which also utilizes the Trust Services Principles, is another great option for reporting on controls.
Other notable topics worth exploring regarding SOC compliance are the following:
• What is a service organization?
• Subservice organization reporting
• AT 101
• SOC 3 compliance
Contact Christopher G. Nickell, CPA, to learn more about SOC 1 (SSAE 18 reporting) and NDNB’s competitive, fixed-fee pricing for SOC 1, SOC 2 and SOC 3 reports. He can be reached at 1-800-277-5415, ext. 706, or at This email address is being protected from spambots. You need JavaScript enabled to view it., today.
SSAE 16 reporting, specifically Type 1 and Type 2 assessments, are being required by more and more organizations today, especially those that provide critical outsourcing functions for other entities. Think of payroll companies, Third Party Administrators (TPA), data centers - just to name a few - and you're on the right track. With such prominence being placed on SSAE 16 reporting, it's important to learn about the ACIPA standard that effectively replaced the longstanding SAS 70 auditing standard from 1992. As such, take note of the following five (5) important things to know about SSAE 16 reporting:
As for SOC 1 SSAE 18 audits and auditors who work on these engagements, it's critically important to know that the AICPA has put forth information regarding the internal audit function. Specifically, if the actual service organization has an internal audit department or internal audit personnel, then they may possibly play a role in the actual SOC 1 SSAE 18 assessment being conducted by the practitioner (i.e., the CPA performing the SOC 1 SSAE 18 engagement). As such, take note of the following 5 important points regarding SOC 1 SSAE 18 internal auditors and the internal audit function.
1. Determine if the service organization has an internal audit department. First and foremost, it's important to ask the right questions when conducting scoping activities for a SOC 1 SSAE 18 Type 1 or Type 2 assessment. With that said, when working with the CPA firm whose conducting the engagement, make sure to discuss what -if any -functions does your organization have in regards to internal audit. Specifically, are there personnel that perform periodic and/or routine testing of controls related to daily operational activities within your organization?
Even more, does your organization outsource internal audit procedures to a third-party entity - and if so - what do they do specifically? Essentially, service organizations need to asking themselves the "who, what, when, where, and why" regarding internal audit activities. In doing so, this will help with proper scoping of the actual SOC 1 SSAE 18 Type 1 or Type 2 assessment, and may even provide some efficiencies.
2. Determine the adequacy of the internal audit function. It's critically important to learn about the personnel involved in the internal audit function, who they are, the work they perform, etc. Essentially, you want to ensure they are professional, competent individuals and the work they've actually performed is objective, unbiased, complete, and accurate. You can't rely on work that's been performed by inexperienced internal audit personnel, nor can you rely on the results of their work either.
3. Determine the nature and scope of the work to be performed. If you find yourself digging deeper into the internal audit function, then that's because points 1 and 2 above have been met in a satisfactory manner, so that can be good news. You'll know need to determine exactly what work is to be or has been performed by the internal audit function within an organization and how it actually correlates to the SOC 1 SSAE 18 Type 1 and/or Type 2 engagement.
4. Determine how significant is the work to the actual service auditor's findings and conclusions for a SOC 1 SSAE 18 engagement. This statement generally runs parallel to the previous issue just discussed. Essentially what it means is once you've agreed on the scope of the internal audit function, how critical, important, relevant, and vital is it to the actual findings for the engagement? For example, was the internal audit function conducting procedures over areas considered high risk, or were they simply testing low-level controls. etc? Each internal audit function will play a vastly different role in each SOC 1 SSAE 18 assessment, so just remember that for an ounce of clarity.
5. Determine the degree of subjectivity that is to be used in evaluating the evidence to support the actual conclusion. In simpler terms, what this really means is how is the evidence (i.e., documentation) obtained from the internal audit function evaluated? What measures are to be utilized for inspecting and relying on the evidence?
As on one can clearly see, the SOC 1 SSAE 18 internal audit and auditor function "can" become an extremely relevant and material component of the overall SOC 1 SSAE 18 assessment process. And remember, because every organization's internal audit function is different, the above steps and related processes and procedures will need to be undertaken, no question about it.
Listed below are additional topic which might interest you regarding SOC 1 SSAE 18:
• The AICPA SOC framework.
• SOC 1 vs. SOC 2.
• SOC 2 Reporting Framework.
Please contact Christopher G. Nickell, CPA, to learn more about NDNB's SSAE 16 services and our competitive, fixed-fee pricing. He can be contacted at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today.
AT Section 101 vs. SOC 1 SSAE 18 often comes up as a topic of conversation because they're both an important component of the AICPA Service Organization Control (SOC) reporting framework. Specifically, SSAE 18 (as of May 1, 2017) is the professional standard used for SOC 1 reporting, while AT Section 101 is the professional standard used for SOC 2 and SOC 3 reporting. And AT Section 101 has only really gained considerable attention because of the AICPA SOC platform, which allows service organizations three reporting options to choose from - SOC 1, SOC 2, and SOC 3. With that said, take note of the following essential points regarding AT Section 101 vs. SOC 1 SSAE 18.
1. AT Section 101 and SOC 2 and SOC 3: As just stated, AT Section 101 is the professional standard used for SOC 2 and SOC 3 reporting. It's a relatively little-known standard, but has now been pushed into the spotlight thanks to the AICPA SOC reporting platform. Look at AT Section 101 as a standard that provides general provisions and guidelines for attesting to a specific subject matter.
2. SOC 1 SSAE 18 and SOC 1: As for SOC 1 SSAE 18, it's much more well-known than AT Section 101, due in large part that it effectively has replaced the two-decade old SAS 70 auditing standard, and also SSAE 16. And though many in the accounting and auditing profession refer to it as simply "SSAE 18 reports", it's technically the professional standard used for issuing SOC 1 reports under the AICPA SOC reporting framework. And much like SSAE 16, SSAE 18 has firmly planted itself as the global de facto reporting standard for service organizations, though the international standard (ISAE 3402) is just as viable in many regards.
3. The SOC 1 vs. SOC 2 Debate: SOC 1 SSAE 18 reports shot out of the gate quickly, replacing SSAE 16 (which replaced SAS 70), and have never looked back. SOC 2 reporting - which uses AT Section 101 - has seen a much slower adoption by service organizations and the accounting and auditing profession as a whole. Time will tell if this changes, but it's important to note that SOC 2 reporting is intended for the growing number of technology companies - data centers, software developers, managed service providers, software as a service (SaaS) entities, and more.
4. Why SOC 1 SSAE 18 Reports are Leading the Pack, but not for Long: A big part of the success of SOC 1 SSAE 18 over SOC 2 AT Section 101 reporting is that of familiarity. Specifically, everyone knew that the SSAE 16 standard (for which SSAE 18 replaced) was effectively replacing the well-known, long-standing SAS 70 auditing standard. As for SOC 2 AT Section 101 reporting, it was quite new – hence – adoption has been slow, but not anymore, as technology companies are moving quickly towards SOC 2 audits.
5. The Future of AT Section 101 vs. SOC 1 SSAE 18: SOC 1 SSAE 18 is full steam ahead – being used by many service organizations for reporting on their control environment. As for SOC 2 AT Section 101 reporting, it has gained incredible momentum in the past few years, and will likely surpass SOC 1 SSAE 18 in terms of relevance and use.
Other important aspects regarding AT Section 101 and SOC 1 SSAE 18 you may want to learn about consist of the following:
• SOC 1 vs. SOC 2
• SOC 2 Reporting
• SOC 3 Reporting
