SSAE 18 Changes

FAQs


Service Organization Controls (SOC) reports must meet the requirements set forth by the “Statements on Standards for Attestation Engagements” as part of their audit engagements. Previously SSAE-16 (and before that the SAS 70), the SSAE-18 was established by the Auditing Standards Board (ASB) which is a section of the American Institute of Certified Public Accountants (AICPA).

The two primary types of SOC reports, SOC 1 and SOC 2, review different aspects of a service organization’s control environment. The SOC 1 examination audits the internal controls over financial reporting. The SOC 2 audit reviews internal controls over the organization’s system to ensure data security, availability, processing integrity, confidentiality, and privacy.

Superseding the“Statements on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization” standard (SSAE 16), the SSAE 18 incorporated four changes that intended to make the SOC 1 reports more useful. Of these changes, two refocused the audit to create consistency across regulatory requirements.

As a new standard, the SSAE 18 focused on service organizations creating their own risk assessment process. The service auditor for a SOC 1 reviews output reports supporting controls covering initiating, recording, processing, and reporting financial transactions. For a SOC 2 report, the system controls governing everything from the physical environment to external communications networks need to be analyzed.

Next, the SSAE 18 incorporated a formal Third Party Vendor Management Program requirement. This expanded the original standard and requires companies to review the potential affect their subservice organizations may have on business operations. These organizations include cloud service providers, data centers, Software-as-a-Service platforms, as well as other outsourced vendors. As part of a company’s review of the subservice organization’s system, it must also review the complementary subservice organization’s controls. This risk analysis requires at minimum periodic discussions with the vendor but may also include regular site visits and customer complain reviews.