SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16, and, obviously the relic of audit reports, SAS 70. The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships. These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.

SSAE18 is now effective as of May 1, 2017, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their System and Organization Controls (SOC) Report under the SSAE-18 standard in an SOC 1 Report. The SOC 1 report produced will look and feel very similar to the one issued under SSAE-16, it will just contain a couple additional sections and controls to further enhance the content and quality, and thus, the ability for third parties to rely on.

What’s New in SSAE 18?

As mentioned above, there are a couple key changes that Companies currently performing a SOC 1 or 2, or, will be performing one in the near future, need to take into consideration this year and going forward.

1. Service Organizations will need to implement a formal Third Party Vendor Management Program
2. Service Organizations will need to implement a formal Annual Risk Assessment process

In addition to the control based changes, your SOC report should also now contain two additional sections describing the risk assessment process, as well as, the Subservice Organizations that play a role in the overall operation of the system and the corresponding controls they impact or have complete ownership of. These two components were typically present in SOC 2 reports previously, but, not formally required. Now, this concept is being formalized and extended to all SOC reports going forward.

Now, for companies that have not previously undergone a SOC 1 audit because their service / operations were not financially significant, SSAE 18 now expands the definition of what is allowed to be reported on to include an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance. This now allows for an official, independent review, of a wide-range of operations under a trusted and consistent set of auditing and reporting guidelines.

Who Needs an SSAE 18 (SOC 1) Audit?

If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SOC 1 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

• Payroll Processing
• Loan Servicing
• Data Center/Co-Location/Network Monitoring Services
• Software as a Service (SaaS)
• Medical Claims Processors

How Does My Company Best Prepare?:

Before starting the SSAE 18 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

• Does my Company need an SSAE18, or, are we doing it just because someone asked?
• Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
• Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
• Have you determined the controls in place which affect the outsourced services being provided?
• Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 18, for a more detailed ‘checklist’ – please see The SSAE 18 Checklist.

The System and Organization Controls (SOC) 2 Report will be performed in accordance with AT-C 205 (formerly under AT-101) and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 18). The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.

The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit). The great thing about the trust principles is that the criteria businesses must meet are predefined, making it easier for business owners to know what compliance needs are required and for users of the report to read and assess the adequacy.

Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities. SOC 2 was put in place to address demands in the marketplace for assurance over non-financial controls to prevent SOC 1 from being misused just like SAS 70 was.

Did you know? A business isn’t required to address all the principles, the reviews can be limited only to the principles that are relevant to the outsourced service being performed. Some example industries that might have a need for a SOC 2 include: SaaS Providers, Data Center/ Colocations, Document Production, and Data Analytics providers.

The Service and Organization Controls 2 Report, formally known as a Service Organization Controls Report as of the most recent update to the SSAE 18 audit standard. A SOC 2 report can cover the design (type 1 report) or operating effectiveness (type 2 report) of controls around a Company’s system over any number of categories, including, Security, Availability, Confidentiality, Processing Integrity, and/or Privacy.

See our more detailed SOC 2 Report page for more information.

The AICPA recently made efforts to expand the use of SOC 2 in two significant ways – additional reporting Criteria and alignment with other significant and at times, required, IT Security regulations. This expansion increases the utility of a SOC 2 report and overall compliance costs and efforts of Businesses small, medium, and large.

The Additional Subject Matter increase the flexibility of the SOC 2 report to include coverage of significant concerns of business partners when outsourcing certain activities given the current, expanding compliance landscape. Below is a table highlighting these changes:

– note this table information obtained from the AICPA website

Below are some use cases where these additions could come in handy:

• Description of the physical characteristics of a service organization’s facilities
  • Specific sizes of rooms and spaces, or other contracted terms as it relates to a physical attribute claimed by the company to clients (data center cage size, storage/shelf space, processing floor, etc).
• Historical data related to the availability of computing resources
  • Adherence to SLA requirements at various levels (overall system availability, by client, retention duration (1 month, 6 months, 7 years), etc.).
• Compliance with a statement of privacy practices
  • Beyond testing the general privacy criteria, some clients may require further coverage based on industry requirements, including third party review of a business’ compliance with their statement of privacy practices.
• Requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification 45 CFR Sections 164.308-316
  • Beyond testing the general privacy criteria, some clients may require further coverage based on industry requirements, including third party review of a business’ compliance with the HIPAA 45 CFR 164.308-316 requirements.
• Criteria established by an industry group
  • There is significant overlap with many companies who require a SOC 2 and some combination of the other major standards, including, but not limited to:
    • HITRUST Common Security Framework (CSF)
    • CSA Security Trust & Assurance Registry (CSA-STAR)
    • ISO-27001
    • NIST SP-800-53 R4
    • COSO
    • COBIT

The standards listed above have formal mappings in place with SOC 2 and available from the AICPA.

These changes have the potential to reduce overall compliance costs and efforts. Headaches like multiple rounds of testing per year, contracting of multiple firms to perform different audits, additional tracking of controls, and other nuances that come with multiple compliance efforts can be greatly reduced and addressed in one report (depending on your Customer’s requirements).

The one thing to keep in mind is that with the inclusion of these additional subject matter and criteria from outside standards, if they are to be included within the SOC 2 report, the controls are required to be tested with the same level of detail and sampling methodology as the AT101/SOC 2 standard calls for. This means, if the audit is required to cover compliance with a statement of privacy practices there is no spot checking in the SOC 2 Type II – it would be full sample testing with the potential to span across all patients depending upon the requirement and having the support available to back it up.

If you’re ready to find out more about how to enhance your current SOC 2 or need help starting you’re first and want to ask a few questions to an expert, please reach out to Find a SOC 2 Provider  via the link provided or contact form below to speak with a qualified professional.