The AICPA’s Auditing Standards Board (ASB) has revised the existing attestation standards and released the new Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. SSAE No. 18 replaces SSAE No. 16 as the standard for any SOC 1 report dated on or after May 1, 2017. For additional information on SSAE No. 18, please refer to our SSAE 18 Attestation Standards: Clarification & Recodification article.
AT 801 Standard Superseded by AT-C 302
The ASB’s revisions affect the examination standard AT Section 801, Reporting on Controls at a Service Organization (AT 801), the standard under which Service Organization Controls (SOC) 1 reports are issued. AT 801 has been superseded by AT-C Section 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AT-C 320) of SSAE 18.
What has changed from SSAE No. 16 to SSAE No. 18 as it relates to SOC 1 reports?
So what are the main highlights of this change from SSAE No. 16 to SSAE No. 18 and how do they impact current SOC 1 reports? After reviewing the new guidance, Linford & Company has determined there are three main changes, which are highlighted below. There are other minor changes in the guidance, though the changes listed below have the main impact on service organizations and their auditors performing the SOC 1 reports.
Here are the main changes from SSAE 16 to SSAE 18 as they relate to SOC 1 reports, effective May 1, 2017:
Service Organization Risk Assessment
(found in the guidance at .10 .b .v & A.17)
Auditors performing the SOC 1 examination will be required to take a more detailed look at risks to the service organization. Auditors will be required to obtain an understanding of risk and assess risk of material misstatement and determine that controls are in place in response to risks. Prior to the change in the standard, auditors were required to have knowledge of risks and an understanding of what the service organization was doing to address risk, but was not required to assess and respond to those risks.
At Linford & Company, we have always completed a risk and control matrix for all SOC engagements to verify that risks are being addressed. If a service auditor has been completing this all along, the impact of this change in the guidance is minimal. The impact on the service organization should also be minimal, though service auditors may ask additional questions around the risk assessment process the service organization completes.
Monitoring the Effectiveness of Controls at Subservice Organizations
(found in the guidance at .15 .a .viii & A.15 & A.27)
Service organizations should assess their monitoring controls for subservice organizations and ensure they cover all subservice organizations, including those presented under the inclusive method. This monitoring should include obtaining SOC 1 and SOC 2 reports from subservice organizations and reviewing the controls and results of control testing in section IV of the report.
If a SOC report is not available from the subservice organization, reviews could include reviewing and reconciling output reports, holding discussions with the subservice organization, site visits to the subservice organization, and testing controls at the subservice organization by members of the service organization’s internal audit function, etc.
For the service auditor, service organizations’ monitoring procedures should continue to be included in management’s description of controls in Section III of the SOC 1, but not listed as a control tested by the service auditor within the control matrices in Section IV of the SOC 1 report.
Complementary Subservice Organization Controls
(found in the guidance at .25 .c)
A user control consideration, client control consideration, or complementary subservice organization control (referred to as a user control consideration going forward) is a control that management assumes will be implemented by their subservice organization. It is also a control that is necessary to achieve a control objective stated in management’s description.
User control considerations are part of management’s description but the service auditor’s procedures do not extend to these controls. Under the new guidance, service organizations should assess the subservice organizations carved out of their SOC 1 reports and document the controls the subservice organization assumed to be in place (user control considerations listed in their SOC report) when designing their system.
In performing this review, they should review the SOC 1 or SOC 2 reports received from their subservice organizations to understand the controls and user control considerations the subservice organization has detailed within the description of their system. Those subservice organization user control considerations that impact the service organization should be documented in Section III of the report in management’s description, as well as be included in Section IV of the report where control testing and the results of control testing are documented.
The service organization should create a process for tracking and monitoring these user control considerations on an annual basis to verify that controls specified by the subservice organization that are the responsibility of the service organization are being addressed. This tracking and monitoring of these user control considerations will be a control in the SOC 1 report.
The service auditor can provide guidance to service organizations on where to look for these user control considerations in SOC reports from their subservice organizations. For example, at Linford & Company we provide our clients with a template that can be used to document and track these user control considerations, and we help our clients determine which subservice organizations they should be obtaining SOC reports from, and then how to find the key information in the reports.
Referring to SOC 1 Reports by Name
In addition to the changes noted above, going forward reports will be referred to as SOC 1 reports and NOT be referred to by the name of the standard. In the past the reports could be referred to as a SOC 1 or an SSAE 16 (previous standard), but the AICPA has decided to do away with referencing the standard as part of the name and wants the reports to be called SOC 1 reports going forward. This will help eliminate confusion when the SSAE standard changes by keeping the name consistent. So this means a SOC 1 report will never be referred to as an SSAE 18, but will always be referred to as a SOC 1 report.
While the revisions from SSAE No. 16 to SSAE No. 18 are not significant, service organizations and auditors should familiarize themselves with the changes and determine the impact it has on existing SOC 1 reports and those new reports going forward. The auditor for the service organization should be able to guide the service organization through their next SOC 1 report and make sure they are including the new requirements under the SSAE No. 18 Standard.
If there are questions about the standard, or SOC reports, please reach out to us.