SOC 1 AUDIT REPORTS
The SOC 1 (SSAE 16) report, which provides assurance to auditing personnel about the integrity of your system’s controls, is being replaced by SSAE 18. It will universally be referred to as a “SOC Report” and is effective for reports dated on or after May 1st of 2017.
This amended process will provide for additional clarification and consolidation of auditing standards for performing attestation engagements.
The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) is referring to SSAE 18 as a “clarification and recodification of attestation standards”.
YOUR SUBSERVICE ORGANIZATIONS AND SSAE 18
For the purposes of your service organization control reports, the primary criterion will place emphasis on subservice organizations. As suppliers that contribute to service providers, their reliability and compliance will now be part of the assessment process. SSAE 18 therefore encourages service organizations to put into effect practices that monitor at the subservice level so those resources abide by the same guidelines as the organization that engages them.
The clarification introduces new terminology and reiterates existing terminology as follows:
· Complementary subservice organization controls - Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.
· Complementary user entity controls - Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.
Your company’s best and most proactive approach to prepare for this new reporting structure would include the initial, as well as the on-going vetting of your subservice organizations. Our experienced auditors will advise your company of the processes and controls that will facilitate these efforts.
Monitoring the Effectiveness of Controls at Subservice Organizations
Management’s description of the service organization’s system and the scope of the service auditor’s engagement includes controls at the service organization that monitor the effectiveness of controls at the subservice organization, which may include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Such monitoring activities may include:
· reviewing and reconciling output reports,
· holding periodic discussions with the subservice organization,
· making regular site visits to the subservice organization,
· testing controls at the subservice organization by members of the service organization’s internal audit function,
· reviewing type 1 or type 2 reports on the subservice organization’s system prepared for impact to the opinion, exceptions identified and user control considerations to be implemented by the service organization, and
· monitoring external communications, such as customer complaints relevant to the services by the subservice organization.
SOC REPORTING STANDARDS
This revised SOC standard introduced by SSAE 18, also extends the scope of the report beyond service organizations, to include all attestation engagements.
Overall, this more inclusive approach to SOC Reports will help satisfy previously existing control issues concerning the evaluation of subservice organizations. The expectation is that this solution will yield even more comprehensive reporting.