Service organizations that are new to third-party reporting on controls or who are migrating from the SSAE 16 standard to SSAE 18 should follow a comprehensive roadmap for ensuring compliance in an efficient, seamless, and cost-effective manner. Without a workable roadmap and timeline, the transition to SOC 1 SSAE 18 compliance can seem daunting indeed.
NDNB has prepared the following SOC 1 SSAE 18 Roadmap to compliance- a series of essential steps to be taken for helping your organization meets the demands of the new attestation standard.
Learn about SOC 1 SSAE 18
SOC 1 SSAE 18 brings out new reporting requirements for service organizations, and as such, these very service organizations need to gain a strong technical understanding of the following essential material:
- The service organization's description its "system"
- The written assertion by management
- The internal audit function
- Subservice organization reporting
Hire a Qualified IR CPA Firm for SSAE 16 Reporting
Choose a CPA firm that specializes in regulatory compliance reporting and one that has formidable experience with the SSAE 16 auditing standard, along with a strong technical understanding of SOC 1 SSAE 18 reporting and the international equivalent ISAE 3402 standard. A competent CPA firm will help you in the following manner:
- Provide you with a fixed fee for the SOC 1 SSAE 18 engagement.
- Provide guidance in helping you produce both the description of your "system" along with the written assertion by management.
- Provide, as needed, various policies, procedures, and other templates to help remediate any weaknesses within your control environment.
Conduct a SOC 1 SSAE 18 Readiness Assessment
A SOC 1 SSAE 18 Readiness Assessment should be considered a "must have" for any service organization, regardless if you are new to the regulatory compliance arena or if you are simply migrating from the SAS 70 auditing standard. In short, a SOC 1 SSAE 18 Readiness Assessment is a proactive and useful engagement for helping to better plan and execute the overall audit. A SOC 1 SSAE 18 Readiness Assessment should encompass the following:
- Understanding the reporting requirements for SOC 1 SSAE 18.
- Developing and agreeing on the scope of a SOC 1 SSAE 18 engagement, such as control objectives to include, business process controls, physical locations for fieldwork, duration of the test period (if a SOC 1 SSAE 18 Type 2 engagement is being performed), etc.
- Providing to the service organization a series of SOC 1 SSAE 18 Readiness Questionnaires.
- Developing a gap analysis, identifying areas that may require remediation before beginning the audit.
- Identifying and discussing, if applicable, the role of the internal audit function within the service organization.
- Providing guidance and direction to the service organization regarding developing the escription of its "system" and the written assertion by management-two fundamentally important components of SOC 1 SSAE 18 reporting.
If, during the course of the SOC 1 SSAE 18Readiness Assessment, gaps were found that require remediation, it's then imperative that this is conducted before moving forward with the actual audit itself. The remediation period can and will vary from one service organization to another, and many times is the result of having inadequate procedures and other documented processes in place. Other times, it may require putting in place a number of controls or other measures for ensuring the intent and the rigor of the actual control to be tested is effectively met.
Other Essential Steps
Once you have completed remediation, the audit should effectively commence, which may begin with any number of steps, depending on the firm you work with and the course of action that has been outlined during the SOC 1 SSAE 18 Readiness Assessment phase. Generally speaking, the following measures will need to be undertaken for a SOC 1 SSAE 18 engagement:
- Scheduling fieldwork and identifying personnel.
- Developing a comprehensive list of items to be obtained and inspected during fieldwork.
- Confirming that management of the service organization has produced a description of its system and is also developing a written assertion also.
- Authoring the final SOC 1 SSAE 18 Type 1 or Type 2 report, noting any exceptions, while also providing the service organization with general post-audit comments, suggestions, and other feedback, which is generally known as "management comments".
- Having all relevant parties of the SOC 1 SSAE 18 audit participate in a formal closing meeting.
SOC 1 (SSAE 16/SSAE 18) and ISAE 3402 share many similarities indeed, both being standards put forth that have fundamentally reshaped the regulatory compliance landscape for reporting on controls at service organizations. Come June 15, 2011, the well-recognized SAS 70 auditing standard was replaced by SSAE 16, allowing the new U.S. standard along with ISAE 3402 and other region specific standards to become the dominant platforms for reporting on controls at service organizations. then, for issuing of SOC reports on or after May 1, 2017, SSAE 18 superseded SSAE 16.
A Collaborative Effort by Various Standard Setting Bodies
SSAE 16/SSAE 18 and ISAE 3402 are the result of a collaborative effort put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC) and the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Both entities closely aligned each of their respective standards in an attempt to follow a growing move towards more international, globally accepted accounting standards. The IAASB took the lead in establishing the new ISAE 3402 standard, with the ASB following closely behind and adopting a "convergence" ideology in developing the framework for SSAE 16/SSAE 18 that was to closely mirror ISAE 3402.
Two Important Points to Note
The two most important elements that distinguish SSAE 16/SSAE 18 and ISAE 3402 from the SAS 70 auditing standard is that management of the service organization must provide a description of its "system" along with a written assertion. This will no doubt require careful planning and consideration from the service organization for ensuring these reporting requirements are met. And while the SAS 70 auditing standard called for a description of “controls”, the SSAE 16/SSAE 18 and ISAE 3402 standards call for a description of the service organization’s “system”, which can be quite broad and extensive when reading the final language for the SSAE 16/SSAE 18 and ISAE 3402 standards.
Subtle Differences Between SSAE 16/SSAE 18 and ISAE 3402
However, there are indeed a number of differences between SSAE 16/SSAE 18 and ISAE 3402, and a qualified service auditor can explain these to your organization, if necessary. Most of these difference can be looked upon as technical in nature, as the overriding platform of SSAE 16/SSAE 18 and ISAE 3402 are vastly similar. SSAE 16/SSAE 18 and ISAE 3402 will effectively become the dominant standards used for reporting on controls at service organizations. It is unclear at this point what role any of the existing country and regional specific standards will have. SAS 70 is long gone, so say hello to the SSAE 18 standard.
NDNB - North America's Leading Provider of SOC 1 (SSAE 16/SSAE 18) - Fixed Fees
Please contact us today or call Christopher G. Nickell, CPA, to learn more about NDNB’s competitive, fixed-fee pricing for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 reporting. 1-800-277-5415, ext. 706.
The SOC 1 (SSAE 16/SSAE 18) standard requires management of the service organization to provide a description of its “system” along with a written assertion to the service auditor, both of which require careful attention and preparation by management themselves.
Description of its System
For SOC 1 (SSAE 16/SSAE 18), a service organization’s description of its “system” should be looked upon as the following: The services provided, along with all supporting processes (technology or manual), policies, procedures, personnel, and operational activities that aid and facilitate the daily functioning of the service organization’s core activities that are relevant to user entities.
A service organization’s description of its “system” should encompass these main attributes, but one should expect to see variations in the descriptions of these “systems”, due in large part to the differences that exist amongst service organizations themselves.
For example, a Software as a Service (SaaS) entity describing and documenting its “system” will differ noticeably from that of a Third Party Administrator (TPA) of medical claims describing their “system”. In short, no two service organization “systems” are alike, but entities should strive to include all necessary information when presenting their description of the “system” to the service auditor. Learn more about
Thus, the framework for documenting a service organization’s system for purposes of SSAE 16 should include a comprehensive discussion of the following components:
- The services provided along with the classes of transactions processed.
- The procedures used, from beginning to end, both automated and manual, for the transactions (i.e., the flow of the transactions and all activities, from initiation to correction of errors, as necessary).
- How the system captures addresses significant events and conditions along with what processes and procedures are used to prepare and report information as necessary to user entities.
- The control objectives, related controls and user control considerations
- The service organizations elements of internal control, which are generally based on the COSO framework consisting of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring
SOC 1 (SSAE 16/SSAE 18) written assertion by management
Management of the service organization must also produce a "written assertion" for purposes of SOC 1 (SSAE 16/SSAE 18) reporting, which is to "assert" that (1). management description of the service organization's "system" is fairly presented, (2). that the controls and related control objectives were suitably designed and (for purposes of SOC 1 (SSAE 16/SSAE 18) Type 2 reporting), were operating effectively.
Any service organization undertaking SOC 1 (SSAE 16/SSAE 18) compliance should seek assistance and guidance from a qualified SOC 1 (SSAE 16/SSAE 18) auditing firm for gaining a comprehensive understanding of the written assertion by management.
Lastly, for purposes of SOC 1 (SSAE 16/SSAE 18) reporting, the actual written statement of assertion according to the SSAE 16/SSAE 18 publications released by the American Institute of Certified Public Accountants (AICPA), states that it may be included in or attached to management's description of the service organization's system. This provides flexibility to the service auditor for purposes of drafting the final SOC 1 (SSAE 16/SSAE 18) report. A number of practitioners have noted that service auditor's performing SOC 1 (SSAE 16/SSAE 18) engagements should also require management of the service organization to produce the actual written statement of assertion on their own letterhead, much like that of a management representation letter. Want to receive a competitive, fixed-fee for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 compliance? Then please contact us today or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.
SOC 1 (SSAE 16/SSAE 18) engagements undertaken by a service auditor are to be done so for the purposes of reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting. In simpler terms, SSAE 18 reports, much like the now historical SSAE 16 auditing standard, are focused on internal controls over financial reporting. The SSAE 18 standard has been very clear from the onset in describing the scope of this type of engagement for purposes of reporting and preparing SOC 1 SSAE 18 Type 1 and Type 2 reports. Thus, practitioners should perform an alternative engagement under AT section 101, Attest Engagements, when reporting on controls other than those related to internal control over financial reporting.
SOC 1 (SSAE 16/SSAE 18), ISAE 3402 and SOC 2 Reports - A Natural Evolution
With that said, however, the SSAE 16 standard, put forth by the Auditing Standards Board (ASB) of the AICPA, does clearly state that controls “likely” to be relevant to user entities’ internal control over financial reporting are to be included in the scope of an SSAE Type 1 or Type 2 engagement for purposes of reporting on controls. The “likely” phrase seems to provide the flexibility for including controls as needed for SSAE 16 reports.
The Birth of ISAE 3402 - European SSAE 16 Equivalent
Statement on Standards for Attestation Engagements (SSAE) 16 came about for a number of fundamental reasons, one of the most important being that of SSAE 16 to closely mirror and align itself with ISAE 3402, the globally accepted standard for reporting on controls at service organizations. The regulatory landscape has changed dramatically in recent years, forcing many service organizations to undergo an examination of their control environment. As such, SAS 70 the U.S. standard for reporting on controls at service organizations, was well positioned to accommodate the needs of businesses for compliance reporting purposes, ultimately allowing it to play a dominant role, both regionally and internationally. However, its limitations forced changes, resulting in the issuance of SSAE 16, which effectively supersedes SAS 70 on or after June, 15, 2011. Following the issuance of SSAE 16, SSAE 18 is now the standard used for issuing SOC 1 reports dated on or after May 1, 2017.
SOC 1 (SSAE 16/SSAE 18), SOC 2 and SOC 3 are Born
Along with the changes came SOC 2 assessments as part of the AICPA Service Organization Control (SOC) framework, which consists of SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 reporting. Finally, there were options for service organizations when it caming to having assessments & audits performed on their internal control enviroments. The change was long overdue, and greatl needed. Many of challenges facing SAS 70 that ultimately resulted in the formation of the new SSAE 16 attest standard, which is now part of the AICPA Service Organization Control (SOC) reporting platform (SOC 1, SOC 2, and SOC 3) include the following:
Global Accounting Standards
The consensus amongst the international accounting community has been that of moving forward with globally accepted accounting principles and standards, which is evident with ISAE 3402, the internal standard for reporting on controls at service organizations. It was clear that a revised U.S. standard would be necessary for keeping pace with these changes, hence SSAE 16 evolved to supersede SAS 70. Though there are a number of very subtle differences between SSAE 16 and ISAE 3402, they are essentially very similar with regard to their intent and overall framework.
Service Organization Reporting Requirements
The explosive growth in outsourcing has coincidentally resulted in a much greater reliance on independent, third-party audits for purposes of reporting on controls at service organizations. SAS 70 played a major, if not dominant role, in providing the framework for which service auditors would perform Type 1 and Type 2 engagements on service organizations. However, the original intent of the SAS 70 auditing standard was a report primarily used from auditor to auditor and one not geared towards the increasing requirements being put forth by a multitude of bodies, such as regulatory agencies, governmental entities, and other notable users of the report.
SOC 1 (SSAE 16/SSAE 18) and ISAE 3402 - Two Prominent Standards
As a result, SOC 1 (SSAE 16/SSAE 18) now provides additional information for which intended users of this report can have greater confidence in the reporting of controls at service organizations. Specifically, SOC 1 (SSAE 16/SSAE 18) requires an in-depth description of the service organization’s "system" along with a written assertion by management. The written assertion was never required by SAS 70 and the description of the service organization’s system now requires management to place a greater emphasis on describing and documenting this system for the service auditor for purposes of SOC 1 (SSAE 16/SSAE 18) reporting. In short, SOC 1 (SSAE 16/SSAE 18) closely mirrors ISAE 3402 and in doing so, allows the U.S. standard to be well-positioned for effectively meeting the growing needs of reporting on controls at service organizations. Furthermore, SSAE 16 effectively removes any limitations that were starting to show with SAS 70.
Statement on Standards for Attestation Engagements (SSAE) No. 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, SSAE 18 is an attestation standard geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness. As such, SOC 1 SSAE 18 engagements conducted by service auditors on service organizations will result in the issuance of either a SSAE 18 Type 1 or Type 2 Report.
A Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as a SOC 1 SSAE 18 Type 1 report.
A Much Needed Change for Reporting on Intenal Controls
SSAE 18 has effectively replacing SSAE 16 (and before that, SAS 70) as the primary standard for reporting on controls at service organizations. SAS 70, an auditing standard put forth in 1992 by the AICPA, has been a highly valuable and globally accepted framework and one that has been amended a number of times for helping keep pace with the growing changes in regulatory compliance. Even so, limitations within the SAS 70 framework prompted the Auditing Standards Board of the AICPA to put forth a new standard, one with an "attest" function, and one that closely mirrors the international standard on reporting on controls at service organizations - ISAE 3402.
The Emergence of SOC 2 Audits
Talk to the SOC 1 and SOC 2 Compliance Experts Today at NDNB