SSAE 16 guidance and many other supporting technical aspects regarding Statement on Standards for Attestation Engagements No. 16 (SSAE 16) can be obtained by visiting the official SSAE 16 Resource Guide, developed by NDNB Accountants & Consultants (NDNB). This resource-rich web portal will provide you with all the necessary information regarding the new AICPA attest standard that became effective as of reporting periods ending on or after June 15, 2011. From white papers to blogs along with many other important topics affecting SSAE 16, you'll find all the SSAE 16 guidance you'll ever need. A small sample of notable points of interest found on this in-depth, resource-rich website include information on the following subject matter:
1.The evolution of the new standard-Learn about how SSAE 16 effectively replaced the aging and antiquated SAS 70 auditing standard and how the migration towards more globally accepted accounting principles and standards helped pave the way for the new AICPA attest standard.
2.The newly formed AICPA Service Organization Control (SOC) Framework-Learn how the changing landscape of service organization control reporting resulted in a comprehensive new reporting framework from the American Institute of Certified Public Accountants (AICPA). Known as the "SOC" reporting framework, it consists of SOC 1, SOC 2, and SOC 3 reporting options.
SOC 1 SSAE 18 compliance is a hot topic today indeed, within the regulatory compliance world, and for very good reason. Statement on Standards for Attestation Engagement (SSAE) no. 18, known simply as SSAE 18, has effectively replaced both the longstanding SAS 70 audit standard and the SSAE 17 standard for reports dated on or after May 1, 2017. In short, if you’re a service organization and have undergone SAS 70 Type 1 and/or Type 2 audits and/or SSAE 16 Type 1 and/or Typpe 2 in the past, it’s time you gain a comprehensive understanding of three (3) critical points pertaining to the new SOC compliance.
Developing SOC 1 SSAE 18 Control Objectives that are related to the ICFR Concept is Critical
Since SSAE 18 has effectively replaced SSAE 16 (and also SAS 70) and because the SSAE 18 controls and related assertions need to be based on relevant internal control over financial reporting (ICFR), service organizations need to constructively "re-think" their control objectives. Unlike SAS 70, which became a heavily misapplied auditing standard, the new AICPA SOC framework, for which SSAE 16, and now, SSAE 18, falls under, requires service organizations to effectively choose between the SOC 1, SOC 2, or SOC 3 reporting regimens.
Thus, if you are embarking on SOC 1 SSAE 18 compliance, your organization will need to ask itself this question:
What services and controls do we, as a service organization, have in place that affect the internal control over financial reporting (ICFR) for entities that utilize our services (i.e., user entities)?
A significant number of service organizations that previously underwent SSAE 18 compliance will no doubt be SSAE 18 candidates, due in large part to the services and supporting controls in place that affect the internal control over financial reporting (ICFR) for entities utilizing their services. Great examples of SOC 1 SSAE 18 candidates are the following:
• Actuarial and Trust Services
• Third Party Administrators (TPA)
• Payroll processors
• Bank Owned Life Insurance (BOLI) and other insurance related entities that performing critical fiduciary functions for their clients.
• Registered Investment Advisors (RIA)
Thus, the first step your organization should undertake in better understanding the ICFR relationship with your services is to develop a series of process-based flow charts that clearly illustrate your business process lifecycle of events, which will ultimately help when developing the description of the service organization's "system," a critical requirement for SOC 1 SSAE 18 compliance. A service organization's "system" can be defined as the following:
"...the services provided, along with the supporting processes, procedures, personnel, and operational activities that constitute the service organization's core activities that are relevant to user entities..."
Once you begin documenting your business process lifecycle, you'll start identifying key areas where critical ICFR elements take root, such as certain activities along with supporting procedures and processes that begin to define your control environment. You can then begin to formalize control objectives and their supporting control elements. Speaking with a CPA firm qualified to conduct SSAE 18 assessments can also help the process, as they'll have in-depth experience in many of the above listed industries and business sectors. Most helpful in the process is engaging in a SOC 1 SSAE 18 Readiness Assessment, whereby you can get assistance in documenting your business process life cycle and your description of the "system."
How do we document and ultimately illustrate these control objectives in a formalized manner necessary for testing by a CPA firm for SOC 1 SSAE 18 compliance?
If you've undertaken SAS 70 compliance or even SSAE 16 in the past, you may very well have developed and tested ICFR control objectives, for which you can "carry over" for SOC 1 SSAE 18 testing. You can also work with a CPA firm qualified to conduct SOC 1 SSAE 18 assessments, but ultimately, these are your control objectives from your control environment, for which management is responsible. With that said, here are some sample generic ICFR control objectives for which you may consider.
• Controls provide reasonable assurance that batch processing transactions are authorized, result in accurate output data, and reconciliation activities are undertaken to confirm such accuracy.
• Controls provide reasonable assurance that I.T. systems capture critical client financial data in an accurate, timely, and complete manner.
• Controls provide reasonable assurance that all necessary reporting activities pertaining to critical financial data are conducted on a structured, regimented basis, resulting in accurate, timely, and complete information.
• Controls provide reasonable assurance that automated and manual controls are in place and utilized for initiating transactions for client data.
Management of the Service Organization will be required to provide the auditor with working documentation of the control environment under evaluation for SOC 1 SSAE 18 reporting. The documentation will usually consist of policy & procedures, narrative descriptions of the controls, organizational charts, business flow-charts, and functional diagrams. These will need to represent not just the control objectives, but also the detail of the control specifications and the overall system of the control design. An Assertion will be provided to the auditor also as either part of the description of the overall control design (system) or as a separate document that details management’s understanding (Management Assertion) of the monitoring and operating effectiveness of the system over the relevant testing period for attestation by the auditor.
The auditor should not issue a SOC 1 report without an understanding of the specific and relevant ICFR. Generally, service organizations with relevant control environments to their user but without specific responsibility for identifiable ICFR activities should appropriately define their controls in relation to SOC 2 and/or SOC 3 reporting. Contact Christopher Nickell, CPA, to receive a competitive, fixed fee quote for all your SOC 1 SSAE 16 needs. He can be reached at 1-800-277-5415, ext. 706.
SSAE 16 Definition: "Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR)."
SSAE 16 effectively replaces Statement on Auditing Standards No. 70 (SAS 70) for service auditor's reporting periods ending on or after June 15, 2011. Two (2) types of SSAE 16 reports are to be issued, a Type 1 and a Type 2. Additionally, SSAE 16 requires that the service organization provide a description of its "system" along with a written assertion by management. However, with a few notable exceptions, SSAE 18 is now superseding existing attestation standards, including SSAE 16, so a common questioned asked is "will SSAE 16 reports now be called SSAE 18 reports?" To be clear, SSAE 18 is simply the attestation standard used for issuing SOC reports, so we'll hopefully see a clarification on naming conventions that will simply be SOC 1, SOC 2, and SOC 3 reports, but it is also likely that a commonly used phrase may very well be SSAE 18 SOC 1 or SOC 1 SSAE 18.
To learn more about SSAE 16, please visit the SOC Report Resource Guide, provided by NDNB Accountants & Consultants, LLP.
Additionally, SSAE 16 and now SSAE 18, along with AT Section 101, form the underlying platform and professional standards for which the new AICPA SOC reporting framework is founded on, which consists of SOC 1, SOC 2, and SOC 3 reports.
SSAE 18 Definition: Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification - effectively establishes requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter other than historical financial statements. SSAE 18 was put forth to address concerns over the clarity, length, and complexity of various standards developed by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). In clarifying the attestation standards, the ASB used the following special drafting conventions to make the standards easier to read, understand, and apply. Furthermore, SSAE 18 is effective for practitioners’ reports dated on or after May 1, 2017.
For purposes of AICPA SOC reporting (SOC 1 and SOC 2 reports), SSAE 18 advocates the following:
Assertion Criteria Modification: While always a part of SSAE 16, SSAE 18 requires a disclosure of the relationship between the service organization and its relevant subservice organizations. Specifically, have the service being performed by the service organization been included or carved-out, and are such disclosure made apparent in reporting?
Monitoring of Controls at Subservice Organizations: A service organization that is used by another service organization that assists in or participates in providing services to the actual user entity, for which such activities would be included in the description of the primary service organization's system. Therefore, organizations that provide services to a service organization that are not considered subservice organizations are referred to simply as vendors, because these services do not impact the controls of the primary service organization. Both SOC 1 and SOC 2 reporting require a service organization to provide relevant information regarding the following activities being performed for effectively monitoring the controls as subservice organizations:
- Review of Output Reports
- Regularly Scheduled Communication and Correspondence
- Regularly Scheduled Site Visits
- Actual Testing of Controls
- Monitoring External Communications
- Reviewing of Regulatory Compliance Reports
Evidence Provided by the Service Organization: Historically speaking, auditing best practices have always included obtaining reliable, current, relevant, and accurate data from a service organization. While almost every previous auditing standard (i.e., SAS 70, SSAE 16) has discussed the concept of evidence, it’s now defined with more clarity. In short, SSAE No. 18 provides the following list of information for which a service auditor receives, and which may require additional assessment procedures moving forward:
- Population lists used for sample tests
- Exception reports
- Lists of data with specific characteristics
- Transaction reconciliations
- System-generated reports
- Other system-generated data (e.g. configurations, parameters, etc.)
- Documentation that provides evidence of the operating effectiveness of controls, such as user access listing.
As a result of SSAE 18 pronouncements regarding evidence, SOC auditors will have to dig deeper in asking for more detailed evidence, and service organizations in turn will need to start retaining more detailed records.
Turn to the Experts at NDNB for all Your Compliance Needs
SOC 1 SSAE 18 reports will be geared towards service organizations that are reporting on controls relevant to internal control over financial reporting (ICFR). As such, SOC 1 Reports will be conducted in accordance with the professional standard known as Statement on Standards for Attestation Engagements (SSAE) No. 18, simply known as SSAE 18.
Goodbye to SSAE 16 and Hello to SSAE 18. What it Means for You
Additionally, accompanying SOC 1 SSAE 18 audit guides have been released to help auditors perform these engagements. In simpler terms, the SOC 1 reporting framework will use the SSAE 18 standard as the professional standard for issuing these reports, resulting in two (2) types of SOC 1 reports, a Type 1 and a Type 2. This is very similar to the reporting that took place for SAS 70 and SSAE 16, where a service organization was either issued a SAS 70 Type I or a SAS 70 Type II or a SSAE 16 Type or a SSAE 16 Type 2 report. Please note that the intent of SOC 1 SSAE 18 reports (either a Type 1 or a Type 2) is actually what the original SAS 70 standard was designed for, but strayed heavily from- reporting on controls relevant to internal control over financial reporting (ICFR). The advent of SOC 2 reports (and also SOC 3) should be used for all parties reporting on controls outside of that related to financial reporting.
Common examples of service organizations that would be candidates for the SOC 1 SSAE 18 reporting framework are trust departments, registered investment advisors, (RIA), employee benefit plans, actuary services, and many other types of organizations that provide outsourcing service functions to user entities, for which the controls are relevant to the user entities' internal controls related to financial reporting. As a service organization, you'll need to ask yourself as to which particular SOC reporting framework do you fall under and what measures have you taken to communicate with your clients on their reporting needs?
For professional guidance on these matters, trust NDNB Accountants & Consultants, a nationally recognized, PCOAB CPA firm specializing in regulatory compliance. Additionally, you can speak directly with Chris Nickell, CPA, at 1-800-277-5415, ext. 706 regarding your reporting needs.
Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 is effectively replacing the SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Much like SAS 70, SSAE 16 provides two (2) reporting options; Type 1, a report on a service organization's system and the suitability of the design of controls", while an SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls". However, fast forward to 2017, and SSAE 16 has effectively been replaced by SSAE 18.