If you are currently receiving a SOC report you may wonder if the change to SSAE 18 will affect your report. In most cases, the changes to the report will be very small, and most service organizations should not expect much of a change.
The biggest change from SSAE 16 to SSAE 18 relates to the monitoring of subservice organizations. A subservice organization is a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal controls over financial reporting. SSAE 18 requires controls to be implemented that monitor the effectiveness of controls at the subservice organization.
A service organization may choose to apply the change by creating a Third Party Vendor Management Policy that requires a periodic review of significant third parties. SSAE 18 states that monitoring activities may include: “reviewing and reconciling output reports, holding periodic discussions with the subservice organization, making regular site visits to the subservice organization, testing controls at the subservice organization by members of the service organization’s internal audit function, reviewing type 1 or type 2 reports on subservice organization’s system, and monitoring external communications, such as customer complaints relevant to the service by the subservice organization.”
If your organization is currently receiving a SOC report and you are not monitoring subservice organizations, your organization should consider implementing a Third Party Vendor Management Policy. The AICPA has granted service organizations about a year to adopt to the change before the change will go into effect. Standards for Attestation Engagements (SSAE) No. 18 will go into effect on May 1, 2017.
A change for the SOC report auditors will include a more detailed risk assessment on the service organization. Auditor will be required to obtain an understanding of the subject matter and to identify and assess risk of material misstatement and perform procedures in response to risks. Prior to the change auditors were only required to have adequate knowledge of the subject matter but not required to assess and respond to those risks.
If you have any questions about obtaining a SOC report or how this may impact your or your company, reach out to us online by clicking here, or call 513-241-8313 to speak with a member of the Barnes Dennig team.
About the Author:
Liz is a Service Organization Controls (SOC) and IT Controls Specialist. She works closely with clients to ensure that controls are in place to prevent fraud and combat cybercrime. Liz has expertise in identifying specific control solutions for all size organizations from small not for profit organizations to large public corporations. Liz graduated from the University of the Cumberlands with Bachelor’s Degrees in