Systems and Organization Control (SOC) reports will now be issued under the Statement on Standards for Attestation Engagements No. 18, Attestation Standards: Clarification and Recodification (SSAE 18), specifically AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. The switch to SSAE 18 begins May 1, 2017, and this means that SOC 1 reports will no longer be issued under the guidelines of SSAE 16 (under which they have been issued since 2011) and SOC 2 and 3 reports will no longer be issued under AT 101. This will modify some wording in the opinion, but will not impact service organizations* in any way.
Shift to SSAE 18
The American Institute of Certified Professional Accountants’ (AICPA) intent behind releasing SSAE 18 was to consolidate multiple attestation standards and clarify the assurance services that CPA firms perform. The change was also intended to address concerns over the complexity and length of the AICPA standards that SSAE 18 replaces (SSAEs 10 through 14, 16, and 17). SSAE 18 is basically a cleaner version of the previous standards.
Until now, the terms “SSAE 16” and “SOC 1” have often been used interchangeably. That was generally fine as SSAE 16 was specific to SOC 1 reports, but since SSAE 18 covers all attestation engagements the change to SSAE 18 means that SOC 1 reports should not be referred to as SSAE 18 reports. These reports should simply be referred to as SOC 1 reports. CPAs have never been great at naming things, and it’s expected that there will be some confusion at first, but the hope is that the SOC reports are referred to by their individual names (i.e., SOC 1, SOC 2, and SOC 3) and not the statement number (i.e., SSAE 18).
How This Impacts Service Organizations and User Entities
The SOC 1 reports will look nearly identical under SSAE 18 as they did under SSAE 16 and the changes to the reports will be minor, so there is not much that service organizations will have to change, especially for Holtzman Partners clients. However, the change to SSAE 18 does result in 5 main changes:
- Monitoring the effectiveness of internal controls at subservice organizations (i.e., vendor management)
Service organizations must implement sufficient controls to monitor the relevant controls at their subservice organizations.** This has always made sense to us at Holtzman Partners and we have encouraged our clients to maintain appropriate vendor management controls. The easiest way to accomplish this has been to obtain the subservice organization’s SOC report(s) and review the report(s) to ensure that:
- the scope of the report includes the specific services provided by the subservice organization and relied upon by the service organization.
- any exceptions noted in the testing of the controls would not impact the operating effectiveness of the service organization’s control environment.
- the Complementary User Entity Control Considerations were adequately addressed by controls at the service organization.
The AICPA agrees that reviewing a SOC report is an acceptable method for monitoring the effectiveness of internal controls at a subservice organization, but if the subservice organization does not have a SOC report, the AICPA has provided additional examples of monitoring activities that are acceptable:
- Reviewing and reconciling output reports.
- Having periodic discussions with subservice organization personnel.
- Making regular site visits to the subservice organization location.
- Independently testing controls at the subservice organization.
- Monitoring external communications (e.g., customer complaints about the subservice organization).
- CPA firms need to identify and assess the risk of material misstatement and perform procedures in response to those risks (i.e., perform a risk assessment)
Service auditors have always needed to understand the service organization’s system and risks to that system; however, under SSAE 18, they are instructed to better identify potential areas of risk specifically in regards to material misstatement. This will better align the testing procedures performed by the service auditor with the areas of material misstatement risk. Holtzman Partners has taken a risk-based approach to SOC attestation engagements since the founding of our firm in 2004 and our clients will not notice any differences in this approach.
- Complementary Subservice Organization Controls and Modifications to Management’s Assertion
SSAE 16 requires that service organizations provide Complementary User Entity Control Considerations*** as part of the SOC report, which are controls that should be performed by user organizations in order to rely on the controls in the SOC report. Given the increase in outsourcing of procedures and the shift of control responsibilities to subservice organizations, SSAE 18 introduces an additional requirement to include Complementary Subservice Organization Controls in SOC reports. This listing of controls is meant to describe the controls that the service organization assumed are performed by a subservice organization in their design of the system description. For example, if a service organization uses a datacenter for the colocation of their servers, they assume that the datacenter will perform controls around physical security and environmental safeguards. Those controls complement the controls performed by the service organization. These controls should be included in the system description and an additional description criterion must be added to management’s assertion. Holtzman Partners has always believed that it made sense to describe the controls performed by subservice organizations and we have therefore encouraged clients to include them in their system descriptions. Going forward, this will be a requirement for SOC report system descriptions and management’s assertion will be updated to confirm this point.
- Evaluating the reliability of evidence produced by the service organization
SSAE 18 clarifies the requirements to ensure that evidence provided by service organizations is complete, accurate and sufficiently detailed. Examples of documentation that must be evaluated under these clarified requirements include: populations used for sampling, exception reports, reconciliations, system generated reports, configurations, access listings, etc. This has always been a requirement for most auditors to ensure their auditing procedures are effective and will present no change for Holtzman Partners’ clients. However, it will ensure that all auditors are following the same set of comprehensive procedures to validate completeness and accuracy.
- Signing of Management’s Assertion
SSAE 16 requires a management assertion in each SOC 1 report; however, it was not clearly stated whether the assertion had to be signed by management. SSAE 18 clarifies that the management assertion needs to be signed by management of the company. Holtzman Partners has always felt that it made sense to have management sign an assertion about the completeness and accuracy of their description to strengthen the credibility of the report, so our clients will not see a change here.
*Service organization – The company that the SOC report describes and for whom the SOC report is being issued (i.e., Holtzman Partner’s client).
**Subservice organization – A company that is used by the service organization and relied upon for the performance of certain internal controls (for example: datacenters, cloud providers, security monitoring vendors, etc.).
***User entity – A client of the service organization (i.e., Holtzman Partner’s clients’ customers).
If you have any questions about the switch from SSAE 16 to SSAE 18, would like to discuss this topic further, or you have a need for a SOC report, please reach out to us at 512.610.7200 or online at www.holtzmanpartners.com. We’re happy to speak with you.