About SOC 1 / SSAE 18

Governed by the AICPA (American Institute of Certified Public Accountants) standards, SOC (Service Organization Control) 1 reports allow your clients to be assured that the appropriate controls are in place in your environment that are relevant to your clients’ controls over financial reporting.

Previously, SAS 70 (Statement of Attestation Standards) was used to provide evidence that an organization had operational controls in place with regard to the financial reporting of their customers. However, as of 2011, SOC 1 / SSAE 16 (Standards of Attestation Engagements) superseded SAS 70.

As of May 1, 2017, any report opinion on or after that date will be issued under the SSAE 18 standard.

Remember that two types of SOC 1 reports exist:

  • Type I: Test of Control Design Effectiveness (As of a period of time)

  • Type II: Test of Control Operating Effectiveness (During a period of time)

Many times, clients call Type I the policies documentation and Type II the testing phase. Although this is accurate, Type I is more than that as several other audit artifacts are required outside of policies and procedures (e.g. Risk Assessment, Pen Testing etc.). Elevate helps you navigate through the difference and determine what is the best approach to achieve compliance.

What changed between SSAE 16 and SSAE 18?

The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust. SSAE 18 is requiring that service organizations implement processes that monitor the controls at subservice organizations. SSAE 18 provides the following control suggestions:

  • Review and reconcile output reports
  • Hold periodic discussions with the subservice organization
  • Make regular site visits to the subservice organization
  • Test controls at the subservice organization (key vendors that are part of the ecosystem for certification) by members of the service organization’s internal audit function
  • Review Type I or Type II reports on the subservice organization’s system
  • Monitor external communications, such as customer complaints relevant to the services by the subservice organization
It is no longer permissible under SSAE 18 to describe the “system-generated” reports within management’s description of the system. The nature of the report must be disclosed and described. In similar fashion, when using information produced by the service organization, SSAE 18 requires the service auditor to evaluate whether such information is sufficiently reliable for its purposes. Evidence about its accuracy and completeness must be obtained, including evaluating whether the information is sufficiently precise and detailed.

Examples of information produced by a service organization that are commonly used by a service auditor include:

  • Population lists used to select a sample of items for testing
  • Lists of data that have specific characteristics
  • Exception reports
  • Transaction reconciliations
  • Documentation that provides evidence of the operating effectiveness of controls, such as user access lists
  • System-generated reports
  • Other system-generated data
Improvements over the risk assessment process that requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, to better identify the risks of material misstatement in an examination engagement. Hence this means more detailed testing to be performed by the auditors and more documentation how risks and mitigation strategies link together.

What Does Elevate Think?

If you are seeking to comply with SOC 1/ SSAE 18 should implement a robust third-party vendor management policy and ensure that it is being carefully followed. It is just as important to ensure that subservice organizations (your key vendors) are monitored on an ongoing basis using the methods outlined in SSAE 18 and testing the complementary user entity controls required by the subservice organization.

Service organizations should also inventory their reports or other system-generated data used within their control activities to better understand the additional procedures that will be required by the service auditor.

Lastly, service organizations should ensure that the Risk Assessment process and documentation is robust enough and links the risk to key financial reporting considerations from their clients.

Explore Our Process