Any report opinion issued on or after May 1, 2017, will be issued under the SSAE 18 standard.
Two types of SOC 1 reports exist:
- Type I: Test of Control Design Effectiveness (A period of time)
- Type II: Test of Control Operating Effectiveness (During a period of time of effectiveness)
Often, clients call Type I the policy documentation and Type II the testing phase. Although this is accurate, Type I is more than that, as it includes an assessment of the design and implementation of controls, in which additional audit artifacts are required outside of policies and procedures (e.g. Risk Assessment, Pen Testing, a sample of 1, etc.). Elevate helps you navigate through the difference to determine what is the best approach to achieve compliance.
What changed between SSAE 16 and SSAE 18?
The most significant change in the requirements that must be met by a service organization is ensuring that its vendor management program for sub-service providers (for example colocation facilities) is significantly robust.
SSAE 18 is requiring that service organizations implement processes that monitor the controls at sub-service organizations. SSAE 18 provides the following control suggestions:
- Review and reconcile output reports
- Hold periodic discussions with the sub-service organization
- Make regular site visits to the sub-service organization
- Test controls at the sub-service organization (key vendors that are part of the ecosystem for certification) by members of the service organization’s internal audit function
- Review Type I or Type II reports on the sub-service organization’s system
- Monitor external communications, such as customer complaints relevant to the services by the sub-service organization
Data Validation Requirement:
It is no longer permissible under SSAE 18 to describe the “system-generated” reports within management’s description of the system. The nature of the report must be disclosed and described. In a similar fashion, when using information produced by the service organization, SSAE 18 requires the service auditor to evaluate whether such information is sufficiently reliable for its purposes. Evidence about its accuracy and completeness must be obtained, including evaluating whether the information is sufficiently precise and detailed.
Examples of information produced by a service organization that is commonly used by a service auditor include:
- Population lists used to select a sample of items for testing
- Lists of data that have specific characteristics
- Exception reports
- Transaction reconciliations
- Documentation that provides evidence of the operating effectiveness of controls, such as user access lists
- System-generated reports
- Other system-generated data
Improvements over the risk assessment process that requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, to better identify the risks of material misstatement in an examination engagement. Hence this means more detailed testing to be performed by the auditors and more documentation of how risks and mitigation strategies link together.
What Does Elevate Think?
If you are seeking to comply with SOC 1/ SSAE 18, you should implement a robust third-party vendor management policy and ensure that it is being carefully followed. It is just as important to ensure that sub-service organizations (your key vendors) are monitored on an ongoing basis using the methods outlined in SSAE 18 and testing the complementary user entity controls required by the sub-service organization.
Service organizations should also inventory their reports or other system-generated data used within their control activities to better understand the additional procedures that will be required by the service auditor.
Lastly, service organizations should ensure that the Risk Assessment process and documentation are robust enough and link the risk to key financial reporting considerations from their clients.