AICPA Updates Service Organization Controls Engagements with Issuance of SSAE No. 18

Service organizations planning to engage a service auditor to issue Service Organization Controls (SOC) reports will find a change in 2017 resulting from clarified and updated attestation standards under which their accountants perform SOC examinations.

Statements on Standards for Attestation Engagements (SSAE) No. 18, issued by the AICPA Auditing Standards Board in April 2016, redrafted standards for SOC examinations as well as other types of attestation engagements. It replaces SSAE No. 16, Reporting on Controls at a Service Organization.  

This was done to:

  • Help unify concepts common to all attestation engagements
  • Provide greater clarity to practitioners
  • Address feedback about the length and complexity of the previous standards

The changes under SSAE 18 will be required for service auditors’ SOC reports dated on or after May 1, 2017.

In many respects the changes to requirements for SOC examinations from SSAE 16 to SSAE 18 will have minimal impact to service organizations that have already been demonstrating rigor in their control practices and providing a SOC report to their users or independent auditors of their users. However, the update will be most notable in these five areas:

  • Naming convention
  • Vendor management
  • Complementary subservice organization controls
  • Service auditor risk assessment
  • Written assertion requirements

Naming Convention

Going forward, SOC reports will eliminate references to SSAE 16. From a practical perspective, this means that service organizations and the market should simply reference service organization examination reports as SOC 1, SOC 2, or SOC 3 reports, or service organization controls reports, as opposed to SAS 70, SSAE 16, or SSAE 18 reports.

Vendor Management

When subservice organizations are integrated as part of a service organization’s control environment, management of the service organization has the responsibility of monitoring and reporting on the effectiveness of the subservice organization’s controls. This may include cases in which the service organization uses data centers, cloud infrastructure and platforms such as Amazon Web Services or Microsoft Azure, other Software as a Service solutions, and outsourced vendors.

It’s currently common practice for service organizations to carve out these entities and demonstrate management’s review of the subservice organization’s SOC reports. Going forward, additional monitoring efforts may be needed to assess the effectiveness of subservice controls and react in a timely manner.

Practical examples of management’s monitoring of subservice organization’s activities may include:

  • Reviewing and reconciling output reports generated from the subservice organization.
  • Attending and formally documenting periodic discussions with the subservice organization to ensure the subservice organization’s controls are operating effectively.
  • Making site visits or performing internal audits at the subservice organization.
  • Testing controls at the subservice organization by members of the service organization.
  • Reviewing the SOC 1 and SOC 2 reports on the subservice organization’s system and formally discussing any applicable exceptions and complementary user entity controls with the subservice provider. This is expected to be performed soon after the issuance date of the subservice organization’s SOC report.
  • Monitoring external communications, such as customer complaints and requests relevant to the services provided by the subservice organization, and communicating these observations to the subservice provider.

Where relevant, service organizations should be prepared to maintain additional supporting documentation throughout the year in order to meet these updated examination requirements. It’s important to begin preparing early for current-year SOC reporting engagements.

Complementary Subservice Organization Controls

Service organizations have historically presented their own complementary user entity controls within the system description section of the SOC report. However, the system description hasn’t traditionally included reference to the relevant controls relied upon through their use of subservice organizations.

Complementary subservice organization controls is a new term used to reference subservice organization controls that service organizations rely on to meet the expected control objective. Under these circumstances, management and the service auditor need to consider the subservice organization controls assumed in the design of the service organization’s own system and how the service organization ensures that control objectives were met.

For instance, where the “carve-out method” is applied to address services provided by a subservice organization, the service organization defines the carve-out in its management description of its system and makes a statement that the complementary subservice organization controls are assumed in the design of the service organization’s controls. The service auditor then defines the carve-out in the service auditor’s report and states that certain service organization control objectives can be achieved only if complementary subservice organization controls assumed in the design of the service organization’s controls are suitably designed and operating effectively.

Service organizations will be expected to share these items with their service auditor:

  • Relevant controls in place at their subservice organization
  • How those controls will be presented in their own SOC report
  • Assessment of any steps necessary to respond to those controls

Service Auditor Risk Assessment

In addition to obtaining an understanding of the service organization’s process to prepare the description of the service organization’s system, including determining control objectives, identifying controls designed to achieve the control objectives, and assessing the suitability of the design and operating effectiveness of the controls, the service auditor is now responsible for obtaining a more in-depth understanding of the service organization’s system and controls to the extent of reviewing available reports of the internal audit function and regulatory examinations relevant to the engagement.

This gives the auditor an understanding of the nature and extent of the procedures performed and the related findings. The findings are taken into consideration as part of the risk assessment and in determining the nature, timing, and extent of the procedures to be performed by the service auditor.

Written Assertion Requirement

SOC reports have always contained assertions made by the service organization. However, prior to SSAE 18, it was optional for management to officially sign the assertion letter because it signs a management representation letter. Going forward, the service organization will need to sign the management assertion presented with the service auditor’s SOC report.

Implementation

The changes to the standards your service auditor follows for a service organization controls examination are effective for service auditors’ SOC reports dated on or after May 1, 2017.

We're Here to Help

Each service organization should have an in-depth planning discussion with its service auditor to ensure it understands and is comfortable with the upcoming changes in the service auditor’s procedures for this next reporting cycle. Visit the AICPA Web site for more information on its Statements on Standards for Attestation Engagements.

If you’d like to better understand how these changes affect your organization, contact one of our partners:

Chris Kradjan
chris.kradjan@mossadams.com

Kim Koch
kim.koch@mossadams.com

Francis Tam
francis.tam@mossadams.com

Colin Wallace
colin.wallace@mossadams.com