Posts

Moving from SSAE 16 to SSAE 18: Upcoming Changes to SOC 1 Audits

In April 2016, the American Institute of Certified Public Accountants (AICPA) made an important update to the attestation standards that will affect your next SOC 1 audit. Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification provides changes to SOC 1 audits and how attestation engagements are categorized. What is the reason for this change and how will SSAE 18 affect you?

Why the change from SSAE 16 to SSAE 18?

The AICPA is making some changes to the way we define attestation engagements, like the SSAE 16. Even though change can be challenging, this update known as SSAE 18, is helping to simplify and converge attestation standards to unify with international standards.

The Auditing Standards Board (ASB) is converging standards in order to unify them with international standards. A big reason behind this change is so that regardless of which region of the world you’re in, the standards are accepted and unified. For example, if you are a client of ours who is doing business in Europe, you may have been issued an ISAE instead of an SSAE. The same goes for clients doing business in Canada, you may have been issued a CSAE.

Another reason behind the shift from SSAE 16 to SSAE 18 is for the purpose of simplification. The attestation (AT) section of the AICPA professional standards (dealing with attestation engagements) contains several different standards. These AT sections are issued in the form of Statements on Standards for Attestation Engagements (SSAE) and are comprised of several SSAEs dealing with different types of engagements.

The AIPCA is taking these different sections and putting them into one source. A lot of the older, earlier numbers are going away and being re-categorized and codified into one, the SSAE 18. Those sections are:

  • AT sec. 20
  • AT sec. 50
  • AT sec. 101 (This was the standard we used in SOC 2 engagements)
  • AT sec. 201
  • AT sec. 301
  • AT sec. 401
  • AT sec. 601
  • AT sec. 701
  • AT sec. 801 (This was the standard we used in SOC 1/SSAE 16 engagements)

The following AT sections are being codified into one SSAE 18:

  • AT-C sec. 105 (SOC 1 and SOC 2)
    • This section deals with Concepts Common to All Attestation Engagements
  • AT-C sec. 205 (SOC 1 and SOC 2)
    • This section deals with Examination Engagements
  • AT-C sec. 210
    • This section deals with Review Engagements
  • AT-C sec. 215
    • This section deals with Agreed-Upon Procedures Engagements. In other words, you may have a client that is asking for an independent audit to perform these procedures on their behalf and prepare a report. This engagement was separate prior to the SSAE 18.
  • AT-C sec. 305
    • This section deals with Prospective Financial Information.
  • AT-C sec. 310
    • This section deals with Reporting on Pro Forma Financial Information
  • AT-C sec. 315
    • This section deals with Compliance Attestations and provides guidance on how to perform compliance engagements that attest to compliance with laws and regulations. If you need an independent auditor to confirm that you’re compliant with HIPAA regulations or CFPB, for example, the auditor would refer to this section. The engagement that we used to call an SSAE 16 will now simply be referred to as a SOC 1 and will not be called SSAE 18.
  • AT-C sec. 320 (SOC 1)
    • This section deals with Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
  • AT-C sec. 395
    • This section deals with Management Discussion and Analysis

The two engagements that we encounter the most are AT-C sec. 205 (SOC 1, SOC 2, HITRUST, CSA) and AT-C sec. 320 (SOC 1). AT-C sec. 205 is applicable for independent subject matter that has been published that an independent auditor can use to attest to the fact that the client is complying with the controls in CSA or HITRUST. AT-C sec. 320 deals specifically with reporting on internal control over financial reporting. We most commonly see this with payment processors, collection agencies, data centers, or hosting systems who are hosting or running accounting or accounts receivable on behalf of clients. Those service organizations are responsible for the physical and environmental controls that may impact a clients’ financial reporting. SSAE 16 is only valid through April 2017. As of May 1st, 2017, these reports will be referred to as SOC 1, not SSAE 18.

What are the changes to SOC 1 audits?

  1. Stronger focus on Risk Assessment

There are three main changes to SOC 1 audits. The first of the changes to SOC 1 audits is that they now have a stronger focus on risk assessment. Why? Looking back over the last few years, we see that the number of data breaches has massively increased. The number of successful phishing attempts on personal email accounts vs. corporate accounts has increased four-fold as attackers are viewing individuals as easy targets, giving them more opportunity to do damage and steal information. The current threat landscape requires that we thoroughly address the risks to our organizations. There are several places throughout the SOC 1 audit standard that have strong language around risk identification and risk management, which we interpret as a formal and documented risk assessment. Here is some example language from the standard that alludes to requiring a formal risk assessment process:

  • The SOC 1 audit standard now requires that Management acknowledges and accepts its responsibility for identifying the risks that threaten the achievement of the control objectives stated in the description and designing, implementing, and documenting controls that are suitably designed and operating effectively to provide reasonable assurance that the control objectives stated in the description of the service organization’s system will be achieved.

KirkpatrickPrice is urging clients to start getting management more involved in the risk assessment process because they must acknowledge and accept responsibility for identifying and mitigating risks that threaten the achievement of the control objectives stated in management’s description.

  • Auditor must verify if management properly identified all risks that threaten the achievement of the controls objectives stated in management’s description.

The SOC 1 audit now requires that auditors identify whether all risks were appropriately identified and addressed and determine what is missing. If a formal risk assessment process has not taken place, the auditor will likely uncover gaps and insufficiencies.

  • Auditor must obtain an understanding of management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of management’s identification of those risks.

The SOC 1 standard used to say “formal or informal” risk assessment process, but now, the SOC 1 is asking auditors to understand management’s process and assess if it is complete and correct.

  • Auditor must evaluate the linkage of the controls identified in management’s description of the service organization’s system with those risks and determine that the controls have been implemented.

Your auditor must attest to whether the appropriate controls are in fact in place.

  • The auditor also must evaluate whether such information is sufficiently reliable for the service auditor’s purposes by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed.

Your auditor will be determining whether your risk assessment process is accurate and complete, which indicates that a formal risk assessment is necessary. They are also required to obtain evidence that the information provided is reliable.

  1. Monitoring Subservice Organizations

The last of the changes to SOC 1 audits is that service organizations are now required to monitor the effectiveness of controls at a subservice organization. This new requirement now requires that service organizations not only identify the critical organizations they rely on to provide their services, but also monitor that they, too, are complying with all relevant standards.

We have a lot of clients who outsource or supplement internal staff with a third party to perform critical business operations. Service organizations are now required to manage their subservice organizations’ compliance and must include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Organizations must understand the risk a vendor is posing to you, and ensuring that they are meeting the control objectives in the description. Six examples given in the SOC 1 standard for accomplishing this requirement are:

  • Reviewing and reconciling output reports;
  • Holding periodic discussions with the subservice organization
  • Making regular site visits to the subservice organization
  • Testing controls at the subservice organization by members of the service organization’s internal audit function
  • Reviewing Type I or Type II reports on the subservice organization’s system
  • Monitoring external communications, such as customer complaints relevant to the services provided by the subservice organization

How to make the shift to the new SOC 1 audit?

The first thing all organizations should do in order to prepare for the shift in the SOC 1 audit standard is to perform a formal risk assessment. KirkpatrickPrice is helping companies accomplish this by offering our specialized resources to facilitate the assessment for them. There are also plenty of resources dealing with risk assessment and tools to help you get started with documenting your own.

The next thing service organizations should do in preparation for the new SOC 1 audit standard is to begin vendor compliance management. When it comes to managing your vendors, you must ask yourself what those risks are that your vendors pose to your organization and the services you rely on them to provide. Is there anything going on in their environment that would cause you to be non-compliant? KirkpatrickPrice’s Online Audit Manager is a great tool that service organizations are using to manage and monitor vendor compliance.

 

If you have any questions regarding the upcoming changes to SOC 1, contact us today.

Moving from SSAE 16 to SSAE 18

Why the Change from SSAE 16 to SSAE 18?

Convergence with international standards is driving this change. There have been changes on the International Statement on Attestation Engagements (ISAE) side, and in the U.S, the Auditor Standards Board (ASB), desires to converge its standards with the international community’s changes. The corresponding standard to SSAE 18, which is a U.S. only standard, relates to the new ISAE 3000.

In the full webinar, you will also see that the AICPA is striving to simplify the different AT sections into one source, which will be known as SSAE 18. Many of the older sections will be reorganized into SSAE 18.

What are the changes in the new standard?

There will be a stronger focus on risk assessment as a response to the magnitude of data breaches and the increase of risk. As more organizations outsource and use vendors, those organizations are taking more risks because they’re taking on the risks of their vendors. There is new language and focus on the responsibility of management. An auditor’s risk assessment must include:

  • An evaluation of the risk of material misstatement and ask if management identified the risks that threaten the achievement of the control objectives stated in management’s description
  • An understanding of management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of management’s identification of those risks
  • An evaluation of the linkage of the controls identified in management’s description of the service organization’s system with those risks and determine that the controls have been implemented

How can KirkpatrickPrice help you make the shift?

Our resources on risk assessments and vendor compliance management can help you prepare your organization. Hire our specialized resources to facilitate a risk assessment with you and your team and perform site visits with your critical vendors, access our webinar recordings for topics dealing with risk assessment and vendor compliance management, access our tools and templates to help you with documenting your own risk assessment, and use the Online Audit Manager to ask questions of your vendors. Contact us today to learn more.

Download the full webinar to learn more details, see examples, and listen to the Q&A portion.

Understanding the Audit Types for Debt Collectors and Collection Agencies

A closer look at how SOC 1, SOC 2, PCI and FISMA applies to Debt Collection and what it means for your Collection Agency.

If you’re performing collections, you’re no stranger to regulatory compliance and the proactive supervision of government agencies such as the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and the Office for Civil Rights (OCR). It’s also critical to consider how you’re protecting consumer data and understand what information security audits are available and will best fit your organization based on the type of debt you’re collecting. Engaging an independent third-party to perform one of these many audits is not necessarily a requirement for collecting debt, but is highly recommended to ensure that the controls you have in place to protect sensitive data are appropriate and operating effectively.

What are the most commonly requested audits? Which audit is right for me? How can I prepare? Whether you’re collecting credit card, medical, student loan, or commercial debt, familiarizing yourself with the Alphabet Soup of information security audits – SOC 1, SOC 2, HITRUST, PCI, and FISMA – is the best way to begin making sense of the commonly requested frameworks and understand which one is right for you.

  • Credit Card Debt
  • SSAE 18/SOC 1
  • SOC 2/HITRUST
  • PCI
  • FISMA
  • Credit Card Debt
  • X
  • X
  • X
  • FISMA
  • Healthcare Debt
  • X
  • X
  • PCI
  • FISMA
  • Student Loan Debt
  • X
  • X
  • PCI
  • X
  • Commercial Debt
  • X
  • X
  • PCI
  • FISMA

SOC 1

An SSAE 18 (formerly SSAE 16), or SOC 1 Audit, or Statement on Standards for Attestation Engagements No. 18, is the most commonly used framework for U.S. service providers. SSAE 18 reports were primarily designed to report on the controls of a service organization that are relevant to their client’s financial reporting. SSAE 18 engagements are performed solely by CPA’s and intended to aid service organizations in eliminating potential errors to protecting client data and attest to the effectiveness of the controls. There are two types of SSAE 18 (SOC 1) reports, a Type I and a Type II. Similar in the presentation of each control objective, a Type I attests to the controls as of a specific date in time, whereas a Type II attests to the controls through a specified period of time, offering a description of the tests performed for each control and the results of the tests.

If you’re working directly with a bank, have a client specifically requesting an SSAE 18, or are simply looking for a good place to start, I recommend pursuing an SSAE 18 audit. This could apply if you’re collecting on credit card, medical, student loan, or commercial debt. The SSAE 18, as many audit types do, utilizes a risk-based approach allowing you to identify your areas of risk and determine whether you’re appropriately addressing each risk. The SSAE 18 audit process helps you to design and implement internal control, thus demonstrating commitment to integrity and ethical values through policy and procedure.

SOC 2

I recommend selecting a SOC 2 audit if your client demands it, prospective clients are requesting, or if you’re specifically collecting on healthcare accounts. A SOC 2 audit, unlike a SOC 1, is prepared in accordance with AT 101, Attest Engagements. Similar to a SOC 1, SOC 2 engagements are performed by a licensed CPA. A SOC 2 reports on non-financial controls, focusing on what are known as the Trust Services Principles; Security, Availability, Processing Integrity, Confidentiality, and Privacy. Is the system protected against unauthorized access (logical and physical)? Is the system available for operation and use as agreed? Is the system processing complete, accurate, timely, and authorized? Is the information designated as confidential protected as agreed? Is personal information that is collected, used, retained, disclosed, and destroyed in conformity with the entity’s privacy notice commitments? This is what is addressed during a SOC 2 audit engagement.

A recommended practice for those working closely with the healthcare industry is undergoing a SOC 2 HITRUST audit. Pairing a SOC 2 with a HITRUST CSF (common security framework) component can help take the guesswork out of HIPAA compliance assessments. The HITRUST framework is a healthcare industry-created compliance protocol designed to address compliance and risk expectations of HIPAA’s Security Rule, variations in business practices, and third-party assurance expectations. Since the SOC 2 is designed to address the aforementioned Trust Services Principles, which are all concepts intrinsic within HIPAA’s Security Rule requirements and the HITRUST framework, it is an incredibly effective report that will provide internal and external value to your organization.

PCI

The Payment Card Industry Data Security Standard (PCI DSS) was jointly developed by the payment card brands to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. PCI DSS v3.2 is the current version, and applies to any merchant who stores, processes, or transmits cardholder data, and any service provider who stores, processes, or transmits data on behalf of a merchant. As a debt collection agency, you can be either a merchant or a service provider. You’re considered a merchant if you’re accepting credit cards as payment, and a service provider if you’re loading account numbers into your system to collect on. PCI DSS is a robust information security standard with approximately 394 controls, 12 Requirements, organized under six Control Objectives.

If you’re collecting on credit card debt, or accepting or processing payment cards, you must comply with PCI. You may become “PCI Compliant” by completing a Self-Assessment Questionnaire (SAQ). There are nine basic versions (with variations), and can either be signed by a Qualified Security Assessor (QSA) or can be a self-attestation. You may also become “PCI Certified”, and upon completion will receive an official Report on Compliance (RoC) from a QSA.

FISMA

The Federal Information Security Management Act (FISMA) is a U.S. federal law, enacted in 2002, to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems to protect the three pillars of information security; Confidentiality, Integrity, and Availability. FISMA is the law; NIST Special Publication 800-53 is the comprehensive standard that contains the individual security controls required to comply with FISMA. Certification is achieved when an Authorization to Operate (ATO) is signed by a federal agency’s senior management official.

If you’re collecting on student loan debt, working with the federal government, a federal contractor, or a sub-service provider of a federal contractor, you are required to meet the National Institute of Standards and Technology (NIST) 800-53 standards.

There’s not a cookie cutter approach to determining which information security audit is right for you. The important things to consider are best practice recommendations, who these audit frameworks apply to, and the type of debt you’re collecting. Whether you choose to undergo an information security audit or not, the best place to start is making sense of the alphabet soup.

SOC 1 Vs. SOC 2 –
Which SOC Report Do I Need?

As a service organization, you are familiar with audit requests from clients who are required to meet specific compliance and audit requirements. You have most likely been asked whether your organization is SOC 1 Compliant or SOC 2 Compliant. What are the differences between a SOC 1 and SOC 2? Which SOC report should I get? Do I need both? These are questions we, as auditors, are frequently asked. Let’s take a look at the differences between the two, and why you could be asked for either, or both, as you continue to grow your business.

SOC 1 Vs. SOC 2 with Joseph Kirkpatrick

Do I need a SOC 1?

A Service Organization Control 1, or SOC 1 engagement, is an audit of the internal controls at a service organization which have been implemented to protect client data. SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). A SOC 1 assessment is comprised of control objectives, which are used to accurately represent internal control over financial reporting (ICFR). In other words, if you are hosting financial information that could affect your client’s financial reporting, then a SOC 1 audit report makes the most sense for your organization to pursue, and will likely be requested of you.

Do I need a SOC 2?

If you are hosting or processing other types of information for your clients that does not impact their financial reporting, then you may be asked for a SOC 2 audit report. In this instance, your clients are likely concerned whether you are handling their data in a secure way, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures. However, the difference is that a SOC 2 reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization. These criteria are known as the Trust Services Principles, and are the foundation of any SOC 2 audit engagement.

Do I need a SOC 1 and a SOC 2 report?

If you have clients that fall under both categories, then there is a chance you may be asked for both. In some circumstances, you may determine that you need a SOC 1 and a SOC 2 report in order to effectively ensure that your controls meet the demands of a variety of clients and stakeholders. Fortunately, KirkpatrickPrice utilizes a unique Online Audit Manager that allows you to combine a SOC 1 and SOC 2 into one audit process resulting in two deliverables.

So which report makes the most sense for your organization? Should you pursue a SOC 1 or a SOC 2? Do you need both? Determining what your business objectives are is a vital first step in deciding which SOC audit you should pursue. KirkpatrickPrice can provide free consulting services to help you determine which SOC report makes the most sense for your organization and assist in determining the scope of your engagement. Think you may need multiple reports? We can help with that too. KirkpatrickPrice’s Online Audit Manager was designed to help take the stress away from meeting multiple audit demands by streamlining them into one efficient audit process. Contact us today using the form below to learn more about how we can help.

SSAE 16: The Past and the Present
The Journey from SAS 70 to SSAE 16

What’s the purpose of an SSAE 16 audit and should I pursue one? If you’re new to the world of information security audits, check out this comprehensive guide on the history of SSAE 16, why it replaced the SAS 70, and how becoming SSAE 16 compliant could benefit your business.

SSAE 16: The Past and the PresentOutsourcing critical business functions, such as IT or HR, is a common practice among many businesses, today. While outsourcing is a great way to cut operational costs and acquire resources that aren’t available internally, it doesn’t come without its risks. It is especially crucial to consider how outsourcing functions to service organizations could impact your internal control over financial reporting (ICFR).

In accordance with Sarbanes-Oxley (SOX), publicly traded companies are responsible for maintaining an effective system of internal control over financial reporting (ICFR). Such emphasis on governance and risk management when it comes to reporting on controls at a service organization, is the reason many organizations have chosen to require their vendors, who may have an impact on their ICFR, to obtain an SSAE 16 (SOC 1) Attestation Report.

The SSAE 16, born in 2011, provides auditors a way to report on things other than financial reports. Instead, SSAE 16 reports on the design and operating effectiveness of controls at a service organization as they relate to their clients’ ICFR. Prior to the SSAE 16, CPAs used what was known as SAS 70.

Out with the Old: Replacing the SAS 70

Out with the Old: Replacing the SAS 70

To make a long story short, CPAs in the past were using the SAS 70 to report on things other than financial reports, however, the SAS 70 was never intended to do so. By introducing a new attestation standard to assess service organizations, the AICPA developed improved assurance by replacing the SAS 70 with the Statement on Standards for Attestation Engagement No. 16, or SSAE 16.

Not only does the SSAE 16 provide a more comprehensive and descriptive assessment of controls, it also allowed user organizations to appropriately assess the reliability of the controls at a service organization.

SSAE 16 vs. SAS 70: What are the Differences?

SAS 70, Cruising with The Auditing Standard

SSAE 16 vs. SAS 70: What are the Differences?

What’s the difference between SSAE 16 and SAS 70? One of the key differences between the SAS 70 and the SSAE 16 is that the SAS 70 is an “auditing” standard, whereas the SSAE 16 is an “attestation”. When the AICPA made the decision to replace the SAS 70, they thought it more appropriate for a service organization audit to be an examination of a system, which is different than an audit of financial statements.

SSAE 16, Going Deeper with Attestation

What are the key differences between the SAS 70 and SSAE 16?

The SSAE 16 report requires a description of a system along with a written assertion by management on the design and operating effectiveness of the controls being reviewed. The SAS 70, however, lacked the level of detail that the SSAE 16 offers. The SAS 70 simply provided a description of controls and did not include any type of management assertion.

New and Improved: The SSAE 16 Audit Report

New and Improved: The SSAE 16 Audit Report

The SSAE 16 has been around long enough now to have gained popularity and familiarity by both service organizations and their clients. However, we still receive a fair amount of questions regarding the purpose of an SSAE 16 audit report, the components, and the benefits of a service organization obtaining an SSAE 16 audit report.

Have you been asked for an SSAE 16 report?

As mentioned before, the purpose of an SSAE 16 report is to report on the controls at a service organization that may have an impact on their clients’ financial reporting.

If you’re an organization who provides hosting services, data management services, etc. to a publicly traded company, it is likely you have been requested to pursue an SSAE 16 audit, and if not, you probably will at some point. An SSAE 16 report allows organizations to assess the risks associated with doing business with particular service providers.

Components of an SSAE 16 Audit Report

Components of an SSAE 16 Audit Report

There are not set controls for an SSAE 16, as each is unique to the service organization and the type of business they are doing. However, there are common criteria and common control objectives that typically make up the components of an SSAE 16 or SOC 1 report. This includes the independent service auditor’s report, management’s written assertion, a description of the system, control objectives and the testing of operating effectiveness of the controls. There are two types of SSAE 16 reports. An SSAE 16 Type I report is an attestation of controls at a service organization at a point in time. An SSAE 16 Type II report is an attestation of controls at a service organization over a period of time. It is often recommended that service organizations begin with an SSAE 16 Type I report, and then move to an SSAE 16 Type II report to demonstrate the maturing of their environment.

Benefits of Pursuing an SSAE 16 Audit Report

Benefits of Pursuing an SSAE 16 Audit Report

There are several benefits associated with obtaining an SSAE 16 audit report. First, it is a great way to demonstrate your commitment to delivering high quality services to your clients. It is also an important step in gaining the client trust you need to develop and grow your business. By engaging a third-party auditing firm to conduct an SSAE 16 audit engagement, you will not only satisfy current client demands, but gain a competitive advantage and have the opportunity to win new business.

The evolution of the reporting on controls at a service organization has inevitably brought more assurance and opportunity to the marketplace. The SSAE 16 audit report is a great way for organizations to demonstrate that they have the proper internal controls in place to protect client data. If you have any questions regarding obtaining an SSAE 16 audit report, whether it is the appropriate engagement for your organization, or how to prepare for your SSAE 16 audit, contact us today.