The Auditing Standards Board (ASB) released the new Attestation Standards, Standards for Attestation Engagements No. 18 (SSAE 18), which replaces all previous SSAEs including SSAE 16 except for Chapter 7, “Management’s Discussion and Analysis”, of SSAE 10, and SSAE 15, in hopes to provide more clarity to other attestation engagements. The new standard is effective for reports dated on or after May 1, 2017. This new standard appears to have the most impact on SOC 1 audits.
What are the most significant changes?
SSAE 18 mainly clarifies and recodifies previous standards into a new format. However, SSAE 18 also introduces some new requirements for SOC 1 audits. The most significant requirements are as follows:
- SSAE 18 will require the auditor to gain a more in-depth understanding over the Company’s risk assessments in their evaluation of the Company’s design of controls to meet the controls objective. Under AT 320 par.27, it states:
- “The service auditor should assess whether the controls that management identified in its description of the service organization’s system as the controls that achieve the control objectives were suitably designed to achieve those control objectives by (Ref: par. .A28–.A29, .A36, and .A41–.A45)
- obtaining an understanding of management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of management’s identification of those risks
- evaluating the linkage of the controls identified in management’s description of the service organization’s system with those risks, including risks arising from each of the described classes of transactions and risks that IT poses to the user entity’s internal control over financial reporting, and
- determining that the controls have been implemented.”
This new guidance will require service organizations to have a more documented robust risk assessment process and specifically links the controls identified in management’s description to the risks identified through its risk assessment process.
- SSAE 18 requires organizations to list out Complementary Subservice Organization Controls and the related services performed by the subservice organization as part of management’s description. Similar to the complementary user entity controls that are already currently listed, Complementary Subservice Organization Controls should include “controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.” (AT320 par.08)
This new guidance will require service organizations to perform a more in-depth review of their relationships with their subservice organizations or vendors to determine what specific controls from their vendors to help perform the functions as promised with their user entities.
- SSAE 18 will also specifically require the organization to include in its description “controls that monitor the effectiveness of controls at the subservice organization, which may include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time.” (Par.A27) Some examples the guidance suggest includes the following:
- review and reconciling output reports
- holding periodic discussions with the subservice organization
- making regular site visits to the subservice organization
- testing controls at the subservice organization by members of the service organization’s internal audit function.
- Reviewing type 1 or 2 reports on the subservice organization’s system prepared pursuant to this section or section 206
- Monitoring external communications, such as customer complaints relevant to the services by the subservice organization
This new guidance will require service organizations to implement and document monitoring controls to ensure what they had identified as Complementary Subservice Organization Controls previously in number 2 above are performed to their satisfaction by their vendors.
What does this mean to Service Organizations?
While most of the changes noted above are not considered significant to most service organizations that obtain such audit reports, we recommend service organizations review their organization’s internal controls to ensure the following is implemented:
- Risk assessment documentation is up-to-date and includes in detail a linkage between how their controls in their management’s description may address those risks identified in the risk assessment.
- Annual evaluation of the Complementary Subservice Organization Controls relied upon by the organization to complete their work.
- Review of the performance of Subservice Organization to ensure their Complementary Subservice Organization Controls are currently operating effectively.
If you are interested in more information about this change or our SOC audit offerings, please contact Andrew Wan at firstname.lastname@example.org.