Transitioning from SSAE 16 to SSAE 18: What Service Organizations Need to Know
In May 2016, the American Institute of Certified Public Accountants (AICPA) released new attestation standards to address concerns over the clarity, length, and complexity of its criteria. The new Statements on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, has broad focus, including changes on the audit practitioner side as well as on the service organization side. For System and Organization Control (SOC) examinations, the most significant change is the requirement to monitor the effectiveness of controls at the subservice organization, as well as data validation.
SSAE 18 is effective for SOC report opinions dated on or after May 1, 2017. Early adoption is permitted.
Monitoring of Subservice Organization(s)
In the past, service organizations have struggled with monitoring subservice organizations. A subservice organization is an entity that is used (outsourced) by the service organization to perform certain services provided to customers (user entities). An example of a subservice organization is a third-party data center or any third-party that provides a service to the service organization that are likely to be relevant to those user entities' internal controls over financial reporting. This is also an area where control issues are often found during the SOC reporting process. Under the new standards, service organizations must monitor the effectiveness of controls at the subservice organization(s). Monitoring can be performed by the following activities:
- Reviewing and reconciling output reports
- Holding periodic discussions with the subservice organization
- Making regular site visits to the subservice organization
- Testing controls at the subservice organization by members of the service organization’s internal audit function
- Reviewing Type 1 or Type 2 reports on the subservice organization’s system and testing the complementary user entity controls
- Monitoring external communications, such as customer complaints, relevant to the services provided by the subservice organization
Data Validation Requirement
It is no longer permissible under SSAE 18 to describe the “system-generated” reports within management's description of the system. The nature of the report must be disclosed and described. In similar fashion, when using information produced by the service organization, SSAE 18 requires the service auditor to evaluate whether such information is sufficiently reliable for its purposes. Evidence about its accuracy and completeness must be obtained, including evaluating whether the information is sufficiently precise and detailed.
Examples of information produced by a service organization that are commonly used by a service auditor include:
- Population lists used to select a sample of items for testing
- Lists of data that have specific characteristics
- Exception reports
- Transaction reconciliations
- Documentation that provides evidence of the operating effectiveness of controls, such as user access lists
- System-generated reports
- Other system-generated data
What Does CohnReznick Think?
Service organizations should implement a robust third party vendor management policy and ensure that it is being carefully followed. It is just as important to ensure that subservice organizations are monitored on an ongoing basis using the methods outlined in SSAE 18 and testing the complementary user entity controls required by the subservice organization.
Service organizations should also inventory their reports or other system-generated data used within their control activities to better understand the additional procedures that will be required by the service auditor.
To learn more about CohnReznick's IT Audit Practice, visit our webpage.
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.