Robert Ramsay – CPA, CISA, CITP, HITRUST CCSFP
Bryan Gayhart – CPA, CISA, HITRUST CCSFP
Bryan Gayhart: Thanks for tuning in today for the latest video from our Barnes Dennig SOC Team. Robert, we’re going to talk about SSAE 21 today, but before we talk about what’s changed with that, why don’t you give us a little history of how we got here?
Robert Ramsay: Yeah, sure. So these accounting standards dictate how we issue SOC reports, and they started way back in the 1900s with something called SAS 70 or S-A-S 70. And that was one of the first codifications of how we could issue these third-party vendor management reports. And that lasted a long time.
And over time, the AICPA decides, oh, there’s a slightly better way to do this. Or we need to fine tune these rules, or we want to change the rules so they agree with maybe European standards or something. So they change over time, and if you’ve been doing this a little while, you’ve probably heard of SSAE 16 or SSAE 18, and now we’re at 21. So those have been the evolution of these standards over time.
Bryan Gayhart: So as the standard comes in and it changes, we’ve got an effective date here of June 15th. So any report issued on or after that date. If I’m a report reader, what am I going to notice is a change?
Robert Ramsay: Some of these codification changes have a big shift, and there’s a focus on reliance on other parties, or oversight, or extra kinds of security as technology evolves. With this one, SSAE 21, it’s pretty minor for a reader of these things, we’ve found. For our SOC reports, there’s a little bit of language changing and opinions, that I think in this case, largely lines things up with some European ethics requirements. And an extra emphasis on independence, but I’m not sure we’re seeing a lot of changes anywhere else in the report.
Bryan Gayhart: Got it. Does it change the way you go about doing a SOC report?
Robert Ramsay: It really hasn’t so far, we’re constantly making sure we’re in line with the expectations of the AICPA. But so far we’ve found that there’s some disclosure and some quality management within our firm, but really the reports and the readers and the process of getting the audit and the reporting hasn’t changed.