From SAS 70 to SSAE 16 to SSAE 18
Effective for reports dated on or after May 1, 2017, SSAE 16 was superseded by SSAE 18 AT-C Section 320 / SOC 1® Attestation.
What was the SAS 70 Audit?
Statement on Auditing Standards No. 70, simply known as SAS 70, grew from a U.S. auditing standard to a global de facto framework used to report on the controls of Service Organizations. Since its inception in April 1992, the SAS 70 audit became the universally accepted audit mechanism for all Service Organizations.
Why did the SAS 70 change?
With the advent of global reporting demands, the AICPA realized that a single audit mechanism was not the best solution for an array of Service Organizations operating in a diverse group of industries with a variety of reporting requirements. As a solution, Statement on Standards for Attestation Engagements No. 16, commonly known as SSAE 16, was implemented for Service Organization reports with periods ending on or after June 15, 2011. The SSAE 16’s purpose was to replace the aging SAS 70 standard with a standard that provided more report options, but more importantly, that would keep pace with the growing push towards globally accepted international accounting standards.
What changed with the implementation of SSAE 16?
The SSAE 16, superseded by SSAE 18 AT-C Section 320 / SOC 1® for reports dated May 1, 2017 and after, divided the SAS 70 report into three different reports (SOC Reports) to provide better reporting options for Service Organization across all industries.
SOC Reports
- SOC 1® Report – Report on controls at a Service Organization relevant to user entities’ internal controls over financial reporting in accordance with Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization. These reports were specifically intended to meet the needs of the entities that use Service Organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors) in evaluating the effect of the controls at the Service Organization on user entities’ financial statements. Distribution of these reports were restricted to the management of the Service Organization, user entities and user auditors.
- SOC 2® Report – Report on controls at a Service Organization relevant to the Trust Services Principles in accordance with AT Section 101. These reports are intended to meet the broad range of users that need information and assurance about the controls at a Service Organization that affect the security, availability, and processing integrity of the systems the Service Organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Distribution of these reports is generally restricted.
- SOC 3® Report – Trust Services Report: these reports are designed to meet the needs of users who need assurance about the controls at a Service Organization that affect the security, availability, and process integrity of the systems used by a Service Organization to process users’ information, and the confidentiality or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed or posted on a website as a WebTrust or SysTrust seal.
Types of Reports
There are two types of reports for these engagements:
- Type 1 – Report on fairness of the presentation of management’s description of the Service Organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 – Report on fairness of the presentation of management’s description of the Service Organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout the specified period.
SSAE 18 AT-C Section 320 / SOC 1® Attestation
The publication Codification of Statements of Statements on Standards for Attestations was issued by the Accounting and Review Services Committee and the Auditing Standards Board (ASB) in April 2016. This publication contains the codified attestation standards and related attestation interpretations that are in effect through April 2017 (identified as “AT” sections) as well as the codified clarified attestation standards resulting from the issuance of SSAE No. 18, Attestation Standards: Clarification and Recodification (identified as “AT-C” sections). SSAE No. 18 is effective for reports dated on or after May 1, 2017.
SSAE 18 is for all attestation engagements, whereas SSAE 16 was specific to service organizations and SOC 1® attestation examinations. SOC 1® is now specifically in accordance with AT-C Section 320 (Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting) within SSAE 18. Thus, SOC 1® reports were referenced as SSAE 16 examinations, but now will need to be referred to as SSAE 18 / SOC 1®, or simply as SOC 1® reports and examinations.
The most significant change with SSAE 18, AT-C Section 320 / SOC 1® is that it requires the service organization to implement controls that monitor the effectiveness of controls at the subservice organization for SOC 1® report opinions dated on or after May 1, 2017.
A subservice organization is any third party with access (either physical or logical) to the service organization’s sensitive client data. SSAE 18, AT-C Section 320 highlights the following monitoring activities that could be implemented to achieve this requirement:
- Reviewing and reconciling output reports
- Holding periodic discussions with the subservice organization
- Making regular site visits to the subservice organization
- Testing controls at the subservice organization by members of the service organization’s internal audit function
- Reviewing Type 1 or Type 2 reports on the subservice organization’s system
- Monitoring external communications, such as customer complaints relevant to the services by the subservice organization
For more information on SSAE 18 SOC 1®, SOC 2® or SOC 3® Reports click here
Or call (877) 410-8516 to Speak to a Service Auditor at Roosa CPA, LLC