Effective for any Service Organization Control (SOC) reports issued after May 1, 2017, SSAE No. 18 is the standard that recodifies and replaces all the previous attestation standards including SSAE No. 16. SSAE refers to the AICPA’s Statements on Standards for Attestation Engagements. This is the culmination of the AICPA’s efforts to clarify the various standards for performing attestation engagements, which includes, among many others, SOC 1 (commonly referred to as SSAE No. 16), SOC 2 and SOC 3 (AT Section 101) into a single set of standards for the auditors. The terms SOC 1, SOC 2 and SOC 3 reports have become well accepted and will remain the primary way to refer to these audit reports.
For the SOC reporting space, the recodification of attestation standards (SSAE No. 18) is largely a simplified version of the existing standards. The net effect is that an “SSAE 16” SOC 1 will look nearly identical to an “SSAE 18” SOC 1. The SOC reports will not see very many major changes; however, there are at least four (4) key areas of emphasis worth noting for SOC 1 reports:
1. Modification to assertion criteria. An additional description criterion related to sub-service organizations (relevant third-party organizations used by the service organization) is included within the re-codified attestation standard. The services performed by sub-service organizations and whether the sub-service organization’s controls have been included or carved out of the scope of the examination have always been part of the SOC 1 examination and resulting report. This change, however, does re-emphasize the importance of describing this specific relationship and disclosing it in a fair manner.
- Fair presentation of sub-service organizations also includes a description of any controls (complementary sub-service organization controls) that the service organization assumed in the design of its controls. A common example is when a service organization outsources data center operations to a colocation facility or its platform hosting services to a cloud services provider. In both instances, the service organization normally assumes that the colocation provider or cloud services provider has implemented controls regarding the physical and/or logical safeguarding of their operating environment. As a result, those safeguards and controls would complement the additional controls to be performed by the service organization itself. In these instances, a description of such assumed complementary controls should be included in the service organization’s system description. This change impacts the management assertion letter to be included in the SOC 1 reports.
2. Monitoring the effectiveness of controls at a sub-service organization. This is arguably the most significant change in SOC 1 reports due to SSAE 18. The revised attestation standard does require the auditor to determine and report on the controls the service organization has implemented to monitor the relevant controls at sub-service organizations. It addresses the question as to whether the service organization has effective oversight of their sub-service organizations. The revised standard also formally includes monitoring of sub-service organizations, if any, into the scope of a service organization’s SOC 1. The revised standard provides for examples of sub-service organization monitoring activities, including the following:
- Reviewing and reconciling output reports: Service organizations may implement procedures to verify the accuracy and completeness of output reports (or files) received from their sub-service organizations. Management of the service organization should be prepared to describe the review and/or reconciliation procedures performed (including the nature, timing and extent of the review procedures), the source of the data or information used for reconciling against the sub-service organization’s output reports, and the process for remediation or corrective action if deviations are determined.
- Periodic discussion with the sub-service organization personnel: An effective way for the service organization’s management to determine the sufficiency of the sub-service organization’s controls and their operation may also include periodic discussions with the relevant sub-service organization personnel. Due to the limitations on the reliability of inquiry-based assurance methods, however, service organizations may consider both the use of comprehensive and structured written questionnaires with requests for corroborative documented evidence, and that the questionnaires (or discussions) be completed by members of the sub-service organization with the requisite knowledge, skills and familiarity with the applicable controls and the service organization’s system. Management of the service organization should be prepared to describe the process for these discussions in its system description.
- Regular site visits: In many instances, the service organization may determine an on-site walk-through and tour of the relevant portions of the sub-service organization’s operations is warranted. This may include an on-site discussion during the site visit as well. Management of the service organization should be prepared to describe the frequency and extent of the site visit processes, including the process for handling nonconformities or deviations that may affect the services organization’s services.
- Testing controls at the sub-service organization: Perhaps the most effective method service organizations may use to monitor the performance of the controls at their relevant sub-service organizations is to use the service organization’s internal audit personnel to conduct tests of controls at the sub-service organization. Several factors can be considered with this approach, including a risk assessment of key or critical controls when developing the audit plan(s), the rotation or frequency of the audits if multiple sub-service organizations are used for the services, the skills and knowledge of the service organization’s internal audit personnel who would perform the audits, and whether the audits would be efficient and provide the relevant control performance information in a timely manner. It remains, however, that controls testing can provide very effective information on the controls performance of sub-service organizations, particularly when combined with the other monitoring methods described here. Management of the service organization should be prepared to describe the process for conducting testing of controls at sub-service organizations, including the process for determining which controls to test, the frequency of the controls testing, the method of documenting and reporting the results of those tests, and the process for ensuring that identified deficiencies and deviations are resolved by the sub-service organization in a timely manner.
- Monitoring external communications: Service organizations may decide, alone or in combination with other monitoring methods, that monitoring external communications such as customer complaints, regulatory agency reports, or other communications on the effectiveness of the control operations at sub-service organizations is an appropriate method for determining the sufficiency of controls at those organizations. Management should be prepared to describe these monitoring processes within its description of its system.
- Reviewing SOC reports of the sub-service organization’s system: An increasingly popular trend for service organizations to get the information they need regarding the control performance at sub-service organizations is to receive and read the SOC reports from those sub-service organizations. Typically, Type 2 SOC 1 or Type 2 SOC 2 reports are likely to provide the necessary information regarding the control performance over their Type 1 counterparts or SOC 3 reports, but service organizations may also consider other types of properly prepared attestations that are relevant to their services. Many organizations use this monitoring method, particularly if the service organizations use multiple sub-service organizations, and performing the audits of those sub-service organizations would be too time-consuming or expensive. Organizations that use SOC or other attestation reports to monitor those sub-service organizations should pay additional attention to any complementary user entity controls described in those reports, as those CUECs represent the control assumptions that their sub-service organization assumed the service organization would implement when the sub-service organization designed its controls.
Service organizations can expect these or similar monitoring controls to be a more prominent subject within their SOC 1 reports going forward.
3. Evaluating the reliability of evidence produced by the service organization. The SSAE 18 standards describe how auditors need to evaluate the reliability of evidence in very clear and definitive terms. Although this writing is focused on SOC 1, auditors of SOC 2 and SOC 3 examinations alike are required to ensure that the evidence provided by the service organizations is sufficiently accurate, complete and detailed for their audit purposes. SSAE No. 18 provides the following listing of examples of information that a service auditor receives, which may likely require additional evaluation going forward:
Population lists used for sample tests;
Lists of data with specific characteristics;
- Transaction reconciliations;
- System-generated reports;
- Other system-generated data (e.g., configurations, parameters, etc.); and,
- Documentation that provides evidence of the operating effectiveness of controls, such as user access listing.
For SOC auditors, this may require more detailed and documented qualitative procedures to determine the sufficiency of the evidence provided by the service organization. For service organizations, this may require more detailed or corroborative artifacts supporting the evidence provided to auditors.
4. Obtaining an understanding of the service organization’s system and assessing the risk of material misstatement. SSAE No. 18 provides additional guidance on assessing the risk of material misstatement. The revised standard provides guidance on this risk assessment in a more prominent way. Service organizations may notice some minor differences regarding this area.
What To Do Next and Looking Ahead for SOC 2
Service organizations should consult with their service auditors regarding their SOC 1 reports and the impact of the SSAE No. 18 recodification to their SOC 1 examinations and reports. While the above summary is not intended to be an exhaustive review of all of the differences from SSAE No. 16 as provided by SSAE No. 18, it should provide most service organizations with a starting point for discussion. SSAE No. 18 becomes effective as of May 2017.
Finally, the AICPA is planning to issue new guidance in 2017 for SOC 2 reports which will include significant change to the Trust Service Principles in an effort to align better with the COSO 2013 Internal Control Framework. We expect SOC 2 reports to continue using the current Trust Principles in 2017 and to make the major conversion in 2018.