blog updates

Follow KSM

KSM blog

KSM Blog | Katz, Sapper & Miller CPA

New SSAE 18 Standard Impacting SOC Engagements

Posted 3:02 PM by

For some business owners, diving headfirst into a System and Organization Controls (SOC) engagement can be an intimidating task. Between the different reporting standards, confusing acronyms and variety of reports, it is often difficult to wade into these waters without feeling like you are being pulled under.   

However, the American Institute of CPAs (AICPA) has recently clarified and updated the attestation standards which make the SOC world less complex. While SOC 1 reports were previously issued under a different attestation standard (SSAE 16) than SOC 2 and SOC 3 reports (AT 101), a clarity project was completed in Spring 2016 to introduce a new unified standard, SSAE 18, Concepts Common to All Attestation Engagements. The new standard combines all previous attestation standards and is applicable to all reports issued after May 1, 2017.

The overall goal of all SOC products is to provide a greater level of transparency and comfort in the key controls a service organization has used over a defined examination period. SSAE 18 is not a clean slate, but rather a clarification. This clarification in reporting requirements emphasizes vendor management and risk assessment, requiring a more comprehensive look at subservice organizations in order to better understand which services are being delivered by which organizations.

In any SOC report, a service organization’s key controls are evaluated by an independent service auditor, such as a CPA firm, who is responsible for testing individual controls using the information provided by the service organization. This important information is still the cornerstone of the clarified standards, but SSAE 18 includes additional requirements to further validate the overall assessment. The two most significant SSAE 18 requirements include:

  • A service organization must disclose any relevant subservice organizations (third parties contracted by a service organization to perform activities or provide services) by describing the relationship and any relevant services being provided. They must also monitor and assess the effectiveness of any relevant controls provided by the subservice organization. The AICPA outlines several ways to do this:
    • Review and reconcile output reports
    • Hold periodic discussions with the subservice organization
    • Make regular site visits to the subservice organization
    • Use an internal audit group to test controls at the subservice organization
    • Review SOC 1 or SOC 2 reports on the subservice organization’s system
    • Monitor external communications, such as customer complaints, that are related to the services provided by the subservice organization

This step puts greater responsibility on a service organization to hold its subservice providers accountable for their key controls.   

  • The independent service auditor must take additional steps to validate the data being provided by the service organization. This validation includes making sure the data is accurate, complete and detailed as it pertains to the examination. This is especially important for system-generated reports. The service auditor needs to understand the configuration and parameters that generated the report. Once the service auditor understands the nature of the report, the information can be sufficiently evaluated to determine its reliability in accurately assessing the design and effectiveness of the control in question.

Venturing into the unfamiliar world of SOC reporting is less intimidating with a knowledgeable partner as a guide. KSM’s expertise helps any service organization in need of a SOC report confidently navigate the process. 

About the Author
Ryan Elmore is a director in Katz, Sapper & Miller’s Audit and Assurance Services Group and a member of the firm's growing SOC Services Group. Ryan is charged with managing all elements of system and organization controls (SOC) compliance engagements. Connect with him on LinkedIn.


Comments (0)
Post a Comment
Email: (Not Displayed)
Website: (optional)
Comment (HTML tags will be stripped):
Please type the alpha-numeric code above (case sensitive):