New guidance has been provided for the Service Organization Control (SOC) 1 report also known as the Statement on Standards for Attestation Engagements (SSAE) No. 16 (SSAE-16). Next month, the new SSAE-18 will replace the current SSAE-16 report and will be effective for reports dated on or after May 1, 2017. SOC reports provide insight into a provider’s operations to instill confidence in their services. Independent auditors conduct SOC attest engagements in accordance with the American Institute of Certified Public Accountants (AICPA) standards. While voluntary, SOC reports are highly regarded by customers, auditors, and various stakeholders to support compliance and oversight activities.
The SSAE-16 focused on internal controls over financial reporting. Organizations that can obtain these reports include those with services related to payment card processing, financial applications, and online document management repositories that could house financial files.
The SSAE-18 expands on the SSAE-16 to include the controls of Sub-Service Organizations (SSO), which are “service organizations used by another Service Organization (SO) to perform some of the services provided to user entities’ internal control over financial reporting (SSAE 16/SOC 1) (AICPA).” The term “user entities” refers to the customers of the services obtained from a service provider. Overall not much change is required on the part of the SO.
The main changes for the newly developed SSAE-18 will provide additional clarity of guidance and oversight of SSO activities that contribute to the SO’s services. There are various changes within the SSAE-18 format, which include description details for the SSO, monitoring controls by the SO for the SSO’s relevant controls, and evidence reliability guidance among other related details.
Furthermore, auditors should update their templates and methodologies prior to the May 1, 2017, effective date. SOs should also be aware of the new types of information that will be requested to coordinate with SSOs to support audit responses. User entities can anticipate these additional details being included in future SOC 1/SSAE-18 reports that they obtain and review for compliance efforts.