SSAE 18 SOC 1 Audit Reports Introduction and Overview for Texas Services Organizations
If you, as a service organization in Texas, are working towards becoming compliant with the SSAE 18 assurance standard, then it's important to understand all aspects of SSAE no. 18 audits – what they are, what do they include, and what they're designed to do. SSAE, which stands for Statement on Standards for Attestation Engagements, is a broad umbrella of standards contained within a report – whether Type 1 or Type 2, about a given organization's reporting standards and controls.
With so many letters and numbers, however, the landscape of SSAE 18 audits can easily – and problematically – become a minefield. Luckily, once you're over the initial hump of learning, things get a little simpler. So, let's start with the basics: what exactly does an SSAE 18 audit entail?
AICPA: Their Role in SSAE 18 SOC 1 Audits
The AICPA, for starters, refers to the American Institute of Certified Public Accounts. They're the ones who have set up SOC – the System and Organization Controls – the reporting framework we're working with, the platform that essentially replaced the aging and antiquated SAS 70 standard. As of June 15, 2011, the professionally mandated form of doing that reporting for SOC 1 reports is by using the SSAE no. 16 audit procedures. But that was replaced also, and now we’re onto SSAE 18.
Secondarily, SOC 2 reports use the AT Section 101 standard, and SOC 3 reporting is done using both AT Section 101 as well as elements of the SysTrust/WebTrust Trust Services Principles (TSP)> Confused yet? Not to worry. Put SOC 2 and SOC 3 reporting option away for later – this article just deals with SOC 1. (Consider talking to a qualified CPA firm, who can help walk you through the various alphabets and vocabulary you'll need to understand SOC reporting protocols).
What's a Service Auditor's Report?
You may have heard of these before – they're often colloquially known as “opinion letters.” But they have lots of informal names, such as “Independent Auditor's Report” and “Service Auditor's Report” – all of these are interchangeable.
What the term is referring to is a brief of around 2 pages that describes the scope of the wider SOC report, what the test period is (in the case of a SSAE 18 Type 2 report for SOC 1 reporting), a statement of the overall opinion formed – i.e. a comprehensive, but concise introduction to the report. The CPA firm who issues the SSAE no. 18 report is also expected to provide this report. While wording and minor details may change from firm to firm, all firms are expected to adhere to the same basic standards.
What is the Written Statement of Assertion?
Like the “service auditor's report,” the Written Statement has many informal names – it might be called a “management assertion”, “written assertion by management,” or similar. What is the writer asserting to, exactly? It's essentially a statement that the reporting research was carried our fairly and completely.
For example, management must attest to the fact that the system laid out by management in its description of the organization is a fair and accurate representation of the processes within the service organization, either as it was designed and specifically implemented on a particular date, as in the case of SSAE 18 Type 1, or as it was manifest throughout a certain given time period as in the case of SSAE 18 Type 2.
Additionally, management should assert that the various control objectives described by management were efficiently and effectively designed to reach their objectives (again, either on a particular date or over a particular time period, depending on the type of report being used). Management is also responsible for laying out the different standards that are being used to make those assertions – such as supporting references and additional statements regarding what, if any, risk factors exist in relation to the controls and control objectives and, in the case of a Type 2 report, whether or not the controls were consistently applied.
This is a new requirement for the SSAE 16 (and now SSAE 18) objective and not one that was part of the now-outdated SAS 70 reporting standard.
What is a System Description?
What does a “system description” entail? With the historical SAS 70 auditing standard, all that was required was a “description of controls”: a description of all the ways in which the service organization's core activities affected financial reporting for their clients.
But what the new SSAE 16 (and now, SSAE 18) regulations require is a more comprehensive – more specifically – a description of the “services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.” The SSAE 18 standard essentially wants to get a sense how it all fits together as a coherent whole, thus, the description itself is usually quite long and detailed, containing several categories.
What Else Has to Be in There?
Additional sections of the SSAE 18 report include “Test Procedures,” (if a SSAE 18 SOC 1 Type2) “User Control Considerations,” “Exceptions (if applicable) noted during testing” and, in the case of Type 2 reporting “Tests of Operating Effectiveness and Results of Testing”
Anything Else? SSAE no. 18 is not the only reporting standard out there. SAS 70 has been effectively phased out after its 20-year span at the forefront of international reporting standards, but ISAE 3402 (an international standard) as well as region-specific standards are also being used.
That said, SSAE 18 is becoming a – if not the – major player in the reporting world for third-part assurance reporting, and many different varieties of service organizations, from data centers to managed service providers to SaaS (software as a service) providers are making use of the new protocols, often using them along with the expected SOC 2 reporting.