SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16, and, obviously the relic of audit reports, SAS 70. The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships. These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.
SSAE18 is now effective as of May 1, 2017, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their System and Organization Controls (SOC) Report under the SSAE-18 standard in an SOC 1 Report. The SOC 1 report produced will look and feel very similar to the one issued under SSAE-16, it will just contain a couple additional sections and controls to further enhance the content and quality, and thus, the ability for third parties to rely on.
What’s New in SSAE 18?
As mentioned above, there are a couple key changes that Companies currently performing a SOC 1 or 2, or, will be performing one in the near future, need to take into consideration this year and going forward.
- Service Organizations will need to implement a formal Third Party Vendor Management Program
- Service Organizations will need to implement a formal Annual Risk Assessment process
In addition to the control based changes, your SOC report should also now contain two additional sections describing the risk assessment process, as well as, the Subservice Organizations that play a role in the overall operation of the system and the corresponding controls they impact or have complete ownership of. These two components were typically present in SOC 2 reports previously, but, not formally required. Now, this concept is being formalized and extended to all SOC reports going forward.
Now, for companies that have not previously undergone a SOC 1 audit because their service / operations were not financially significant, SSAE 18 now expands the definition of what is allowed to be reported on to include an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance. This now allows for an official, independent review, of a wide-range of operations under a trusted and consistent set of auditing and reporting guidelines.
Who Needs an SSAE 18 (SOC 1) Audit?
If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SOC 1 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:
- Payroll Processing
- Loan Servicing
- Data Center/Co-Location/Network Monitoring Services
- Software as a Service (SaaS)
- Medical Claims Processors
How Does My Company Best Prepare?:
Before starting the SSAE 18 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:
- Does my Company need an SSAE18, or, are we doing it just because someone asked?
- Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
- Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
- Have you determined the controls in place which affect the outsourced services being provided?
- Have key stakeholders been defined and included in discussions?
There are many other issues to consider before engaging a CPA firm to help with your SSAE 18, for a more detailed ‘checklist’ – please see The SSAE 18 Checklist.
There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take.
While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs.
The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance:
a description of the service organization’s system prepared by management of the service organization.
– Management will need to prepare a description of the control objectives that are in place and being tested at their organization, as it relates to the process that is being reviewed for use by a User Organization. This will read sort of like a narrative of the process and how your control objectives tie in to each other and the process as a whole, giving a User Organization an overview of what and how, at a high level, their data will be handled.
a written assertion by the Service Organization’s management about whether, in all material respects, and based on suitable criteria:
1. the description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.
2. the controls related to the control objectives stated in the description were suitably designed to achieve those control objectives as of the specified date.
– Management will need to prepare a written assertion attesting to the fair presentation and design of controls. Previously under SAS 70, it was the auditors who reported directly on the controls and management was not required to attest to anything. (There will be a separate post describing this in detail as this is a major difference)
The final component:
a service auditor’s report that expresses an opinion on the matters in b1-2.
– The auditors that are hired to perform the testing will need to review the Management’s assessment of the design of controls and attest to the validity of Management’s opinion. The auditors will walk through the control objectives and control activities in place at your company and verify they are, in fact, designed as Management noted. This is where the auditors will obtain a sample of 1 to support each control activity and express the results of their testing.
Specifics of reporting details for a SSAE Type I will be discussed later on!
This information is also consistent with SSAE-18 which is effective as of May 1, 2017.
Another series we will have periodic posts about will be related to potential controls that would be expected to be in place, almost regardless of the entity in question.
This will be a real basic one to help get everyone up to speed, we will delve into other areas that may be a little more advanced in the future.
Example: Firewalls are in place at all externally facing access points.
The point of this control is to ensure that firewalls are being used at the organization to help prevent hacking attempts, thus, the theft of data. Companies outsourcing their workloads want to have comfort that the company performing the work has adequate security measures in place to lower the chance of their data being stolen.
Firewalls are some of the most basic devices that need to be in place at a business to protect data and if your business does not currently employ firewalls on their network, it is a must do and should be looked into immediately.
The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.
Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.
There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.
This definition and information is consistent in SSAE-18.
The SOC 3 Report , just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system). The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality and privacy) and allow the organization to place a seal on their website upon successful completion.
The Trust Service Principles were designed with a focus on e-commerce systems due to the amount of private/confidential/financial information that flows across the internet daily. When a customer processes a transaction (online retailer), builds a business on your service (SaaS providers), or submits private information, they want to know best practices are being followed by the company to guard against security leaks, lost sales, and damaged data. The most common reports based upon the trust principles are referred to as WebTrust and SysTrust.
The SysTrust review encompasses a combination of the following principles:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
The WebTrust certification can fall into the following four categories:
- WebTrust. The scope of the engagement includes any combination of the trust principles and criteria .
- WebTrust Online Privacy. The scope of the engagement is based upon the online privacy principle and criteria.
- WebTrust Consumer Protection. The scope of the engagement is based upon the processing integrity and relevant online privacy principles and criteria.
- WebTrust for Certification Authorities. The scope of the engagement is based upon specific principles and related criteria unique to certification authorities.
While some companies still request a SAS 70 report (why, who knows…), many contracts now require a SSAE 16 report, and with the change to SSAE 18 many are now asking, what is the right language to use going forward? To fix this, the AICPA is now stating the standard number or reference should no longer to be used, and formally referred to as a SOC 1 report. This will hopefully help to prevent this situation in the future when new updates are inevitably implemented (SSAE 19, 20, …). A minor, but, helpful change.
So – while you do not *have* to update your contracts, it’s typically the best course of action, and now, going forward you shouldn’t have to worry about it again.
Are there any other nagging items like this you are running into? If so, contact us or leave a comment and we will do our best to clarify.