Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification (SSAE 18) is the new standard drafted by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board (ASB) related to attestation engagements and reports. The new Standard changes some of the requirements and areas of focus for Service Organization Control 1 examinations (SOC 1). These changes will help to simplify and converge U.S. attestation standards with international standards. The ASB issued the new Standard so that regardless of the location of operations (Europe with an ISAE or Canada with a CSAE), the standards are unified and accepted, therefore there will no longer be a need to issue a CSAE and SSAE for the same company. Overall, the ASB is re-categorizing and codifying all attestation standards (AT) into one location with the standards.
AT-C 315, referenced above, will change the name of engagements from SSAE 16 reports to simply SOC 1 reports.
The main changes for these new standards, as they relate to SOC 1 engagements, are related to areas that the Auditing Standards Board has considered weak, lacking in understanding or not currently addressed in reports over the past several years.
Risk Assessments is the top change, and rightfully so. With the number of security issues plaguing companies from all industries lately, the ability for an organization to identify and assess its risks is extremely important when determining whether adequate controls are designed, implemented and operating effectively. Specifically, The SOC 1 Audit Standard now requires that Management acknowledges and accepts its responsibility for identifying the risks that threaten the achievement of the control objectives stated in the description and designing, implementing, and documenting controls that are suitably designed and operating effectively to provide reasonable assurance that the control objectives stated in the description of the service organization’s system will be achieved. Auditors will be required, under the new standards, to determine if the audit evidence shows the accuracy and completeness of this more formal risk assessment.
Vendor Management is the other major change. Responsibility cannot be outsourced – especially when it relates to subservice organizations. It always has been, and more so now, management’s responsibility to understand what subservice organizations are doing from a security and risk standpoint and how controls at the subservice organization are established and monitored. Service organizations are now required to manage their subservice organizations’ compliance and must include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Organizations must understand the risk a vendor is posing to you, and ensuring that they are meeting the control objectives in the description. Some examples given in the SOC 1 Standard for accomplishing this requirement are:
- Reviewing and reconciling output reports;
- Holding periodic discussions with the subservice organization
- Making regular site visits to the subservice organization
- Testing controls at the subservice organization by members of the service organization’s internal audit function
- Reviewing Type I or Type II reports on the subservice organization’s system
- Monitoring external communications, such as customer complaints relevant to the services provided by the subservice organization.
As we move into these new standards (effective for all SOC 1 reports issued after May 1, 2017), we are advising all clients and potential SOC 1 compliance companies to begin performing formal risk assessments and implementing more robust vendor management review. Your advisors and consultants at Warren Averett are always available to help understand these new changes and how they will affect your SOC 1 reports.
Paul Perry, FHFMA, CITP, CPA, CISM
Kevin Bowyer, CPA, CITP, CISA