Effective May 1, 2017 the scope of Service Organization Control (SOC) 1 engagements will expand under the American Institute of Certified Public Accountants' (AICPA) release of Statement on Standards for Attestation Engagement (SSAE) 18. SSAE 16, formerly under the guidance of SAS 70, is replaced by SSAE 18, which clarifies existing attestation standards, including guidance for SOC 1 engagements.
SOC 1 reports address assurance requests from clients that come as part of clients' audit, regulatory compliance, vendor management or business practices. They help clients meet Section 404 of the Sarbanes-Oxley Act and private company requests, requiring entities to report on their internal controls over financial reporting. The SOC 1 reports document the evaluation and conclusions on the design of a service provider's controls and their operating effectiveness.
SSAE 18 will allow a company to report on their compliance with certain laws or regulations, contractual arrangements, and defined agreed-upon procedures that include outsourced service where assurance is required by a third party.
Under an SSAE 18 engagement, companies will need to conduct a risk assessment, at least annually, that includes a documented linkage between the potential risks of material misstatement and the controls in place to respond to the assessed risks and remediation plans to mitigate any identified high-risk issues.
SSAE 18 does not impact SOC 2 and SOC 3 engagements that are conducted under the trust services principles. For a more complete description of SOC reports and why service organizations receive them, please see our recent publication, Service Organization Controls Report-Why the Decision to Get One May Add to Your Bottom Line.
What Do I Do Next?
Although the SSAE 18 does not fundamentally change reporting on a SOC 1 engagement, service organizations and their CPA firms need to understand the nuances of the new considerations and proactively address the changes and prepare for additional requests from third parties that use their services.
For additional assistance in evaluating the impact of the update on your operations, please contact MHM's Dan Klapheke. Dan can be reached at firstname.lastname@example.org or 770.858.4500.
Published on January 24, 2017