Moving from SSAE 16 to SSAE 18: Upcoming Changes to SOC 1 Audits

by Sarah Harvey / March 9th, 2017

In April 2016, the American Institute of Certified Public Accountants (AICPA) made an important update to the attestation standards that will affect your next SOC 1 audit. Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification provides changes to SOC 1 audits and how attestation engagements are categorized.

What is the reason for this change and how will SSAE 18 affect you?

What is SSAE 16?

SSAE 16 is the Statements on Standards for Attestation Engagements no. 16. It provides a set of standards and guidance for attestation reporting on organizational controls and processes at service organizations. Audits using SSAE 16 generally result in System and Organizational Control (SOC 1) reports. Unlike earlier standards, SSAE 16 requires a written attestation from a service company’s management, stating that its description accurately represents organizational systems, control objectives, and operational activities that affect customers. SSAE 16 was superseded by SSAE 18 in 2017.

What is SSAE 18?

SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 and is intended to update and simplify previous standards. Like SSAE 16, SSAE 18 is used in SOC 1 reports, but also in SOC 2 and SOC 3 reports, which were previously conducted under AT 101. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors.

Learn more at our Guide to SAS 70 vs SSAE 16 vs SSAE 18.

SSAE 16 vs. SSAE 18: What’s the Difference?

SSAE and SOC are often used interchangeably, and people talk about SSAE 18 reports and SOC 1 audits. However, the two are distinct, and it’s useful to understand the difference. 

  • SSAE 18 — SSAE is the Statement on Standards for Attestation Engagements no. 18. As the name suggests, it outlines standards and guidance for completing attestation engagements. These are the standards and processes CPAs follow when carrying out SSAE examinations.
  • SOC is the System and Organization Controls report. It is the report that CPAs produce after conducting an attestation engagement under the SSAE 18 standards.

In short, SSAE refers to the standards, and SOC refers to the report.

In 2016, the AICPA updated the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) to No. 18 (SSAE 18). This change was made to simplify and converge attestation standards related to SOC 1 audits. SSAE 18 has also expanded to cover more types of attestation reports (including SOC 2), whereas SSAE 16 was limited to only SOC 1 reports.

What was the purpose of SSAE 16?

The purpose of SSAE 16 was to provide a framework, issued by the AICPA, that SOC 1 audits could follow. It actually means the Statement on Standards for Attestation Engagements No. 16. Each new Statement on Standards for Attestation Engagements  helps to simplify and converge attestation standards to unify with international standards and new technology.

Why the Change From SSAE 16 to SSAE 18?

The AICPA is making some changes to the way we define attestation engagements, like the SSAE 16. Even though change can be challenging, this update known as SSAE 18, is helping to simplify and converge attestation standards to unify with international standards.

The Auditing Standards Board (ASB) is converging standards in order to unify them with international standards. A big reason behind this change is so that regardless of which region of the world you’re in, the standards are accepted and unified.

For example, if you are a client of ours who is doing business in Europe, you may have been issued an ISAE instead of an SSAE. The same goes for clients doing business in Canada, you may have been issued a CSAE.

Another reason behind the shift from SSAE 16 to SSAE 18 is for the purpose of simplification. The attestation (AT) section of the AICPA professional standards (dealing with attestation engagements) contains several different standards. These AT sections are issued in the form of Statements on Standards for Attestation Engagements (SSAE) and are comprised of several SSAEs dealing with different types of engagements.

The AIPCA is taking these different sections and putting them into one source. A lot of the older, earlier numbers are going away and being re-categorized and codified into one, the SSAE 18. Those sections are:

  • AT sec. 20
  • AT sec. 50
  • AT sec. 101 (This was the standard we used in SOC 2 engagements)
  • AT sec. 201
  • AT sec. 301
  • AT sec. 401
  • AT sec. 601
  • AT sec. 701
  • AT sec. 801 (This was the standard we used in SOC 1/SSAE 16 engagements)

The following AT sections are being codified into one SSAE 18:

  • AT-C sec. 105 (SOC 1 and SOC 2)
    • This section deals with Concepts Common to All Attestation Engagements
  • AT-C sec. 205 (SOC 1 and SOC 2)
    • This section deals with Examination Engagements
  • AT-C sec. 210
    • This section deals with Review Engagements
  • AT-C sec. 215
    • This section deals with Agreed-Upon Procedures Engagements. In other words, you may have a client that is asking for an independent audit to perform these procedures on their behalf and prepare a report. This engagement was separate prior to the SSAE 18.
  • AT-C sec. 305
    • This section deals with Prospective Financial Information.
  • AT-C sec. 310
    • This section deals with Reporting on Pro Forma Financial Information
  • AT-C sec. 315
    • This section deals with Compliance Attestations and provides guidance on how to perform compliance engagements that attest to compliance with laws and regulations. If you need an independent auditor to confirm that you’re compliant with HIPAA regulations or CFPB, for example, the auditor would refer to this section. The engagement that we used to call an SSAE 16 will now simply be referred to as a SOC 1 and will not be called SSAE 18.
  • AT-C sec. 320 (SOC 1)
    • This section deals with Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
  • AT-C sec. 395
    • This section deals with Management Discussion and Analysis

The two engagements that we encounter the most are AT-C sec. 205 (SOC 1, SOC 2, HITRUST, CSA) and AT-C sec. 320 (SOC 1). AT-C sec. 205 is applicable for independent subject matter that has been published that an independent auditor can use to attest to the fact that the client is complying with the controls in CSA or HITRUST. AT-C sec. 320 deals specifically with reporting on internal control over financial reporting.

We most commonly see this with payment processors, collection agencies, data centers, or hosting systems who are hosting or running accounting or accounts receivable on behalf of clients. Those service organizations are responsible for the physical and environmental controls that may impact a clients’ financial reporting.

SSAE 16 is only valid through April 2017. As of May 1st, 2017, these reports will be referred to as SOC 1, not SSAE 18.

What are the Changes to SOC 1 Audits With SSAE 18?

Stronger focus on Risk Assessment

There are three main changes to SOC 1 audits. The first of the changes to SOC 1 audits is that they now have a stronger focus on risk assessment.

Why?

Looking back over the last few years, we see that the number of data breaches has massively increased. The number of successful phishing attempts on personal email accounts versus corporate accounts has increased four-fold as attackers are viewing individuals as easy targets, giving them more opportunity to do damage and steal information.

The current threat landscape requires that we thoroughly address the risks to our organizations. There are several places throughout the SOC 1 audit standard that have strong language around risk identification and risk management, which we interpret as a formal and documented risk assessment. Here is some example language from the standard that alludes to requiring a formal risk assessment process:

  • The SOC 1 audit standard now requires that Management acknowledges and accepts its responsibility for identifying the risks that threaten the achievement of the control objectives stated in the description and designing, implementing, and documenting controls that are suitably designed and operating effectively to provide reasonable assurance that the control objectives stated in the description of the service organization’s system will be achieved.

KirkpatrickPrice is urging clients to start getting management more involved in the risk assessment process because they must acknowledge and accept responsibility for identifying and mitigating risks that threaten the achievement of the control objectives stated in management’s description.

  • Auditor must verify if management properly identified all risks that threaten the achievement of the controls objectives stated in management’s description.

The SOC 1 audit now requires that auditors identify whether all risks were appropriately identified and addressed and determine what is missing. If a formal risk assessment process has not taken place, the auditor will likely uncover gaps and insufficiencies.

  • Auditor must obtain an understanding of management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of management’s identification of those risks.

The SOC 1 standard used to say “formal or informal” risk assessment process, but now, the SOC 1 is asking auditors to understand management’s process and assess if it is complete and correct.

  • Auditor must evaluate the linkage of the controls identified in management’s description of the service organization’s system with those risks and determine that the controls have been implemented.

Your auditor must attest to whether the appropriate controls are in fact in place.

  • The auditor also must evaluate whether such information is sufficiently reliable for the service auditor’s purposes by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed.

Your auditor will be determining whether your risk assessment process is accurate and complete, which indicates that a formal risk assessment is necessary. They are also required to obtain evidence that the information provided is reliable.

Monitoring Subservice Organizations

The last of the changes to SOC 1 audits is that service organizations are now required to monitor the effectiveness of controls at a subservice organization. This new requirement now requires that service organizations not only identify the critical organizations they rely on to provide their services, but also monitor that they, too, are complying with all relevant standards.

We have a lot of clients who outsource or supplement internal staff with a third party to perform critical business operations. Service organizations are now required to manage their subservice organizations’ compliance and must include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Organizations must understand the risk a vendor is posing to you, and ensuring that they are meeting the control objectives in the description. Six examples given in the SOC 1 standard for accomplishing this requirement are:

  • Reviewing and reconciling output reports;
  • Holding periodic discussions with the subservice organization
  • Making regular site visits to the subservice organization
  • Testing controls at the subservice organization by members of the service organization’s internal audit function
  • Reviewing Type I or Type II reports on the subservice organization’s system
  • Monitoring external communications, such as customer complaints relevant to the services provided by the subservice organization

How to Make the Shift to the New SOC 1 Audit?

The first thing all organizations should do in order to prepare for the shift in the SOC 1 audit standard is to perform a formal risk assessment. KirkpatrickPrice is helping companies accomplish this by offering our specialized resources to facilitate the assessment for them. There are also plenty of resources dealing with risk assessment and tools to help you get started with documenting your own.

The next thing service organizations should do in preparation for the new SOC 1 audit standard is to begin vendor compliance management. When it comes to managing your vendors, you must ask yourself what those risks are that your vendors pose to your organization and the services you rely on them to provide. Is there anything going on in their environment that would cause you to be non-compliant? KirkpatrickPrice’s Online Audit Manager is a great tool that service organizations are using to manage and monitor vendor compliance.

If you have any questions regarding the changes to SOC 1, contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series 

SOC 1 Compliance Checklist: Are You Prepared for an Audit? 

How to Read Your Vendors SOC 1 or SOC 2 Report?