For the purposes of this article, we’ll be entirely focused on SOC 1. Look for future blogs related to the impact of SSAE 18 on your SOC 2 and 3 reports.
The Standards, They are a-Changin’
In 2016, the Accounting Standards Board (ASB) of the AICPA looked at its attestation standards and said, “We need to do some clarifying.” Out of this Clarity Project came the “Concepts Common to all Attestation Engagements,” and with it SSAE 18, which covers all attestation engagements with a major focus on third party vendor management, data validation, and risk assessments. Your SOC 1 audits fall under these new standards, so buckle up and hold tight to that Client Assistance list, because this request list’s about to get bumpy.
Subservices: I can’t Take my Eyes off of You
Let’s get mystical real quick: Subservice organizations are everywhere. In fact, your company may even depend on them without realizing it. For example: You’re a hospital that outsources your billing to another company, say Umbrella Corporation, and that company utilizes the data center of another company, say Frank’s Data Center. Your company is assuming that the subservice organization, Frank’s Data Center, has implemented controls over their logical and physical security. It’s downright Inception-level stuff, but it’s important as we’ll outline here.
Typically, subservice controls are “carved out” of SOC 1 reports; in other words, not included in the evaluation of the service organization. The new standard emphasizes the importance of describing the specific relationship between the subservice and service organizations and disclosing that information in a non-fraud sort of way. Let’s nerd out on those different sections below.
Monitoring Effectiveness of Subservice Controls
The new standard requires that your service auditor determine and report on the controls the service organization has implemented to monitor the relevant controls at subservice organizations.
Below are some of the AICPA-provided examples around monitoring. Make sure your company is able to identify these in your SOC 1 reports.
- Review and reconcile output reports. Service organizations will want to verify the accuracy and completeness of output reports (or files) received from their subservice organizations. Management of the service organization should be prepared to describe the review and/or reconciliation procedures performed (including the nature, timing, and extent of the review procedures), the source of the data or information used for reconciling against the subservice organization’s output reports, and the process for remediation or corrective action if deviations are determined.
- Have periodic discussions with subservice organization personnel. Your service organization’s management should have regular discussions to determine whether the subservice organization’s controls are sufficient. Since inquiry alone doesn’t provide the best assurance, service organizations should also consider using questionnaires and supporting evidence, as well as make sure these are completed by subservice personnel who are knowledgeable of the system. Management should also document the process for these discussions in their System Description of the SOC report.
- Schedule regular site visits to the subservice. In some cases, the service organization may consider onsite walkthroughs of the relevant operations at the subservice with discussions in order to gain a better picture. Management of the service organization should note the frequency and scope of the site visit processes, including any deviations that may affect the services organization’s services. Aviators are not required while performing walkthroughs though recommended for maximum effect.
- Employ the service organization internal audit (IA) to test relevant subservice controls. Perhaps the most effective method a service organization can use to monitor the performance of controls at the subservice organization is to use the service organization’s IA to conduct tests of controls at the subservice level. The service organization may even consider performing a Risk Assessment of those key controls when developing their audit plan. This assessment should include specifics like: the rotation/frequency of the audits (if multiple subservice organizations are used), skills and knowledge of the service organization’s IA personnel doing the audit, determining which controls to test, the frequency of the controls testing, method of documenting/reporting the results of those tests, and the process for ensuring identified deficiencies and deviations are resolved by the subservice organization in a timely manner.
- Monitor external communications. Service organizations may determine that monitoring external communications such as customer complaints, regulatory agency reports, or other communications on the effectiveness of the control operations at subservice organizations is an appropriate method for determining the sufficiency of controls at those organizations. Management should be prepared to describe these monitoring processes within its description of its system, preferably while singing Rockwell’s “Somebody’s Watching Me.”
- Review subservice organization’s SOC Reports. In order to obtain the info needed around control performance at subservice organizations, a service organization may obtain the subservice’s SOC report. Typically, SOC 1 Type 2 reports provide the information needed to see proper control performance.
Organizations that use SOC or other attestation reports to monitor subservice organizations should do a double-take at any User Control Considerations (UCC’s – also known as Complimentary User Entity Controls) described in those reports. These “UCC’s” state which controls their subservice organization assumed the service organization would implement when the subservice designed its controls. Management of the service organization should have a process for reviewing the SOC 1 reports, detailing procedures performed to determine the sufficiency of the scope and timing of the SOC report, individuals at the service organization responsible for reviewing the report, communicating with the subservice organization for any identified deviations (as needed), the process for identifying any UCC’s in the report and determining if those UCC’s apply to the service organization, and any related action items to ensure the UCC’s are addressed.
Evaluating the Reliability of Evidence Produced by the Service Organization
SOC 1 auditors are required to ensure the evidence provided by the service organizations is sufficiently accurate, complete, and detailed for their audit purposes (in other words, totes legit). SSAE 18 provides the following examples of what that information should take the shape of:
- Population lists used for sample tests
- Exception reports
- Lists of data with specific characteristics
- Transaction reconciliations
- System-generated reports
- Other system-generated data (e.g. configurations, parameters, etc.)
- Documentation that provides evidence of the operating effectiveness of controls, such as user access listing
For SOC auditors, this may require more detailed and documented qualitative procedures to determine the sufficiency of the evidence provided by the service organization.
For service organizations, this may require more detailed or corroborating evidence that supports evidence provided to auditors.
Obtaining an Understanding of the Service Organization’s System and Assessing the Risk of Material Misstatement
SSAE 18 builds on the mission objective of your auditors to gain an understanding of the service organization’s system, including controls that are included in the scope of the engagement, with new guidance on assessing the risk of material misstatement. Service organizations most likely won’t notice any difference in this area, but your company should understand any potential impact of the system on the financial statements and prepare accordingly.
What Your Company Should do Next
Service organizations (and your company, if you’re using them) should talk with a CPA firm regarding their SOC 1 reports and the impact of the SSAE 18 on their SOC 1 exams and reports. Although this article is not a comprehensive review, it should help your company and service organization start preparing for how SSAE 18 will impact your SOC 1 reports.
Remember: SSAE 18 is effective for all SOC reports dated on or after May 1, 2017.
For weekly insights into cybersecurity, please sign up here: