business Moving from SSAE 16 to SSAE 18 – Part 2 April 03, 2017 As the effective date of SSAE 18 draws closer, we discuss the remaining major provisions relative to monitoring service organization controls. SSAE 18 sets forth new/enhanced requirements for Service Organization Control (“SOC”) reports under “one roof” in section AT-C Section 320. Previously, SOC reports were issued under different guidance: SOC 1 reports under SSAE 16 and SOC 2/3 reports under AT 101. Learn more about SSAE18 in Part 1 of our blog series. Complementary Subservice Organization Controls SSAE 18 introduces the concept of Complementary Subservice Organization Controls. These are controls that Management of the Service Organization assumes, in the design of its system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system. A common example of this would be physical controls implemented at a data center (subservice organization) that is utilized by the service organization. Written Assertion Requirement SSAE 18 requires that the service auditor now obtains a written assertion from management of the service organization. The assertion is a statement within the report wherein the service organization asserts that the system description provided in the report is true and complete. Although the assertion has been a requirement under SSAE 16 and SOC reporting; SSAE 18 requires that this assertion be signed, which was optional in the past. Risk Assessment SSAE 18 requires service auditors to obtain a more detailed understanding of how the subject matter of the examination was developed in order to better identify the potential for material misstatements. What do these changes mean for Service Organizations? The inclusion of Complementary Subservice Organization Controls as a component of the description of the system is new for service organizations and should be monitored by the service organizations in their vendor management process. The Written Assertion requirement is not new (except for the mandatory signature requirement) and should not have a significant impact on current operations. What does it mean for Auditors of Users of Service Organizations? Auditors of users of Service Organizations will need to understand the new requirements of SSAE 18 to ensure that their clients are reviewing the SOC reports generated by the Service Organizations and that the reports are complete. Need Help? KLR performs numerous SOC 1 and SOC 2 examinations and readiness assessments and can work with you in understanding and implementing the new SSAE 18 requirements. Contact us for help in addressing these new requirements or if you have any questions on its content.
