Note: This is a guest post by David Barton, of UHY Advisors, one of the largest professional services and accounting firms.
The AICPA has replaced the audit standard known as SSAE 16 with a new standard effective for report dates on or after May 1, 2017. This new standard, known as SSAE 18, is designed to address and clarify concerns over the clarity, length and complexity of the many other AICPA standards.
Before we get into the details around the new standard it is important to note that SSAE 18 combines several prior SSAEs that were not related to SSAE 16. SSAE 16 was specific to SOC 1 reports which deal with the controls at a service organization that impact financial reporting of the customers of the service organization. By contrast, SSAE 18 refers to many different types of attestation reports, not just SOC 1 reports.
Many customers and other stakeholders have referred to SOC 1 reports as “SSAE 16” reports. Since there will now be many different reports produced under SSAE 18, we need to begin referring to these attestation reports by their proper name (such as SOC 1, SOC 2, etc.) and not by the standard that is used to produce them.
Below are answers to common questions about the new standard and SOC reporting in general, to help you understand what to look for in an auditor or auditing firm.
What is SSAE 18?
SSAE 18 is the short name for Statement on Standards for Attestation Engagements No. 18. Attestation standards establish requirements and provide application guidance to auditors for performing and reporting on examination, review, and agreed-upon procedures engagements, including Service Organization Controls (SOC) attestations. SSAE 18 completely replaces SSAE 16 and many other SSAEs into a combined standard.
What SSAE 18 is NOT:
SSAE 18 is NOT a certification. Neither was SSAE 16 or SAS 70 that preceded it. There is no such thing as “SSAE 18 certified” and service organizations that use this terminology are merely misleading their customers and stakeholders. SSAE 18 is only the name of the standard used by audit practitioners to perform a variety of attestation reports. Lastly, it is not specific to a certain type of attestation report (a la SSAE 16).
How is SSAE 18 different?
There are a few key changes for customers and other stakeholders that read SOC reports to take note of. There are several changes that impact the way service organizations deal with subservice organizations. What is a subservice organization? Before we answer that, let’s back up and define what a service organization is.
A service organization is an entity that provides services (think cloud hosting, colocation, payroll processing, etc.) to another organization. A subservice organization goes one level deeper–it’s a service organization used by the original service organization to perform services. For example, if your cloud provider “A” uses another Company “B”’s data center to host their servers, then Company B is a subservice organization.
SSAE 18 addresses the importance of accurately disclosing the relationship between the service organization and the subservice organization. Under SSAE 18 a service organization should:
- Identify all subservice organizations used in providing the services
- Include a description of any subservice organization controls (referred to as Complementary Subservice Organization Controls) that the service organization relies on to provide the primary services to its customers
SSAE 18 also requires a service organization to provide the service auditor with a risk assessment that highlights the organization’s key internal risks. This risk assessment helps ensure that the service organization’s controls are regularly reviewed, addresses appropriate risks, and are updated as necessary to mitigate risks.
The last key change brought about by SSAE 18 has to do with monitoring the controls at subservice organizations. It is no longer considered sufficient for service organizations to vet their subservice organizations during the initial buying process and then never check on them again. SSAE 18 requires the:
- service organization implement controls to monitor the effectiveness of relevant controls at the subservice organization; and
- service auditor to report on the controls the service organization implemented to monitor the relevant controls at the subservice organization.
Monitoring controls could include one or any combination of the following:
- Reviewing and reconciling output reports or files
- Periodic discussion with subservice organization personnel
- Regular site visits
- Testing controls at the subservice organization
- Monitoring external communications
- Reviewing SOC reports of the subservice organization’s system
What impact does SSAE 18 have for Online Tech?
Working with our auditors, UHY LLP, we will ensure that our SOC 1 report (as well as our other attestation reports) includes all of the necessary updates and changes related to the adoption of SSAE 18. We strive to deliver reports that are timely, accurate, and complete so that our customers can be assured our controls measure up to the expectations of the marketplace.