The AICPA recently issued new guidance, clarifying and expanding the use of the SSAE-16 Report and how it can be leveraged to show adherence with any set of agreed-upon procedures. The SSAE-18 report will be effective as of May 1, 2017 and bring new changes you can learn about here on our SSAE 18 Report overview page.

Recent Posts

The SSAE 18 Audit Standard (Updates and Replaces SSAE-16)

SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16, and, obviously the relic of audit reports, SAS 70. The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships. These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.

SSAE18 is now effective as of May 1, 2017, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their System and Organization Controls (SOC) Report under the SSAE-18 standard in an SOC 1 Report. The SOC 1 report produced will look and feel very similar to the one issued under SSAE-16, it will just contain a couple additional sections and controls to further enhance the content and quality, and thus, the ability for third parties to rely on.

What’s New in SSAE 18?

As mentioned above, there are a couple key changes that Companies currently performing a SOC 1 or 2, or, will be performing one in the near future, need to take into consideration this year and going forward.

  1. Service Organizations will need to implement a formal Third Party Vendor Management Program
  2. Service Organizations will need to implement a formal Annual Risk Assessment process

In addition to the control based changes, your SOC report should also now contain two additional sections describing the risk assessment process, as well as, the Subservice Organizations that play a role in the overall operation of the system and the corresponding controls they impact or have complete ownership of. These two components were typically present in SOC 2 reports previously, but, not formally required. Now, this concept is being formalized and extended to all SOC reports going forward.

Now, for companies that have not previously undergone a SOC 1 audit because their service / operations were not financially significant, SSAE 18 now expands the definition of what is allowed to be reported on to include an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance. This now allows for an official, independent review, of a wide-range of operations under a trusted and consistent set of auditing and reporting guidelines.

Who Needs an SSAE 18 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SOC 1 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

How Does My Company Best Prepare?:

Before starting the SSAE 18 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE18, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 18, for a more detailed ‘checklist’ – please see The SSAE 18 Checklist.

Click to Contact a Provider Now!

Are Service Provider Contract Updates Needed with SSAE 18?

While some companies still request a SAS 70 report (why, who knows…), many contracts now require a SSAE 16 report, and with the change to SSAE 18 many are now asking, what is the right language to use going forward? To fix this, the AICPA is now stating the standard number or reference should no longer to be used, and formally referred to as a SOC 1 report. This will hopefully help to prevent this situation in the future when new updates are inevitably implemented (SSAE 19, 20, …). A minor, but, helpful change.

So – while you do not *have* to update your contracts, it’s typically the best course of action, and now, going forward you shouldn’t have to worry about it again.

Are there any other nagging items like this you are running into? If so, contact us or leave a comment and we will do our best to clarify.

Click to Contact a Provider Now!

SOC 2 Report – Trust Services Principles

The System and Organization Controls (SOC) 2 Report will be performed in accordance with AT-C 205 (formerly under AT-101) and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 18). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls. SOC2-Security: The system is protected, both logically and physically, against unauthorized access.Availability: The system is available for operation and use as committed or agreed to.Processing Integrity:  System processing is complete, accurate, timely, and authorized.Confidentiality:  Information that is designated confidential is protected as committed or agreed.Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice  and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, making it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy.

Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.

Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.

Click to Contact a Provider Now!

SSAE 16 vs ISAE 3402 – Part 2 – Intentional Acts

The first difference between the SSAE 16 and ISAE 3402 Standards is that SSAE 16 requires the service auditor to assess the risk associated with potential “Intentional Acts by Service Organization Personnel”.
Under SSAE 16, If the service auditor, while performing their review, notices deviations that could have been a result of an intentional act by an employee of the service organization, the auditor is required to dig into it. The reasoning for this is to determine whether or not the description of the service organization’s system is not fairly presented and that the controls are not suitably designed or operating effectively.
So, it seems that in this case, the SSAE 16 standard is a bit stricter. If the auditor is not required to dig into an intentional act committed by an employee of the service organization, how would the Auditing Firm and User Organizations feel comfortable with the report? In my opinion, they shouldn’t. Without any consequences for the service organization (failed report), there is an incentive for the service organization to try and operate outside the control structure as defined as it is unlikely that they would be held responsible for their actions. This might be a question you would want to dig into if you are going to use a company that has only been issued an ISAE 3402 report.
Be on the lookout for the next post related to the difference between SSAE 16 and ISAE 3402, Anomalies.

Click to Contact a Provider Now!

SSAE 16 vs ISAE 3402 – Part 1

SSAE 16 was built upon the ISAE 3402 framework, which essentially is the same thing, but accepted at an international level with a number of deviations to be discussed here over time. The AICPA and other standard settings organizations are now encouraged to design their frameworks for reporting on controls at a service organization around the ISAE 3402 framework, this will allow for increased fluidity and lower expenses to complete globally. ISAE 3402 was intentionally designed to allow for minor modifications to adjust for local protocols and existing frameworks.

SSAE 16 contains 9 deviations from the ISAE 3402 framework, at a high level include:

      1. Intentional Acts by Service Organization Personnel
      2. Anomalies
      3. Direct Assistance
      4. Subsequent Events
      5. Statement Restricting Use of the Service Auditor’s Report
      6. Documentation Completion
      7. Engagement Acceptance and Continuance
      8. Disclaimer of Opinion
      9. Elements of the SSAE Report That are Not Required in the ISAE 3402 Report

These topics will be delved into in greater depth at a later time, however, are not of concern if you do not plan on performing outsourcing services for an organization located outside of the United States.

Click to Contact a Provider Now!