Last year, I published a blog called SOC it 2 Me in 2016 regarding understanding the types of external assurance audits, including a comparison of SOC 1 and SOC 2 engagements. Post the transition from the “SAS 70” era and a few cycles of SOC 1, SOC 2, and SOC 3 engagements; the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has revised the existing attestation standards. While it may seem like we are changing the rules of the fight while already in the boxing ring – the new standards are designed to provide greater rules of engagement between the users of audit reports, the service provider, and the service auditor without needing a boxing ring referee.
The goal of the game change in the existing standards was designed to focus on clarity, length, and complexity to deliver reports with enhanced usability for the recipient. The result is a change to the examination standard Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. The prior SSAE 16 report will now be changed to the SSAE 18 format for any reports dated on or after May 1st, 2017. While the scope, methodology, and testing differences may appear to be “External Assurance Alphabet Soup” to the non-accountant, the change will affect not only how service providers conduct and provide external audit reports to their client base, but will influence how the recipient of the reports understands the controls environment and their risk within the third-party relationship.
Part 1: Preparing for the SSAE 18 will focus on highlighting the changes and differences to the planning, scoping, and execution of an SSAE 18 engagement from the service organization’s point of view. Part II: Preparing for the SSAE 18 will dig a bit deeper into the downstream implications to third party risk and the inspection of the service organizations’ overall Third Party Service Provider oversight or Vendor Management Programs.
Planning, Scoping, and Execution Changes
Last year, multiple articles and white papers were published, including the solicitation of feedback by the AICPA on the proposed changes to the standard. However, I have found that it’s only when an organization begins to apply the new standards to the scope of their external audit engagement, that the process or report format changes become more tangible.
It is best to take a proactive approach with your selected audit firm partner to fully understand what changes are more internal methodology and reporting writing that directly impacts the audit firm and what changes impact the service provider organization sponsoring the engagement. Successful planning and collaboration on the scope of the engagement can minimize the impact of the standards changes.
- Changes in Methodology: The updated standard requires changes that alter the service auditor’s involvement in the engagement to meet the enhanced standards attestation requirements. One of the key objectives of the SSAE 18 is to enhance maturity in the scoping and testing process to provide better clarity to the reader on the system environment and controls.
- Changes in Report Format: The content in the narrative or management description of the system controls should align to the scope of the controls in the actual report. The updated standards provide greater clarity on what should and should not be in the system description section based on the controls that are tested by the service auditor. These enhanced parameters will provide a more streamlined description of the system and control environment, with enhanced transparency.
- Changes to the definition of subservice organizations: A new definition has been created to address the utilization of third party vendors within the scope of the application or systems involved in the engagement. The Complementary Subservice Organization Control or (CSOC) are the controls the service provider assumes will be implemented by their subcontractor or subservice provider, but are not addressed by the service auditor. The management description of the environment and systems should more clearly describe any assumed controls of the subservice organization.
Addressing new functionality or capability changes
While the initial SSAE 18 changes focused on the report and process for the audit engagement – basically the “rules of engagement”, there are a few differences in the new standard that will require service provider organizations to adapt their approach to their external assurance program or audit engagement plan. Highlights of these changes include:
- Conducting a controls-focused risk assessment: While the service organization defines the controls that they align to the control objectives in a SOC 1 or SSAE 18 report, the service provider now has a greater burden to provide an evaluation of the controls to demonstrate why the selected controls are key or material to meeting the objective. The service organization will need to review the identified controls and justify or share the reasons the controls are critical to the controls need for financial reporting. The goal is to reduce the potential of listing non-material or task/activities as controls and strengthen the process maturity in the controls assessment. The audit firm will also have a stake in this maturity journey as they will be required to demonstrate greater knowledge of the system, risks, and controls to prevent the potential risk of a misstatement and review how to assess or respond to those risks.
- Ensuring Reliability of Data: The new standard increases the maturity required for reviewing system generated reports used in the engagement process. While data validation or confirming the accuracy of reported data is an industry best practice, the updated standard basically codifies the need for the service provider to provider greater detail on how the information was provided so that the auditor can confirm the information is reliable and precise enough for the assessment. A critical component of the new functionality is if the service provider provides key reports to its client base regarding specific controls, then those reports may need to be in scope. Service organizations will need to develop a position and criteria in their engagement planning for evaluation of which reports are critical to a control, vs. simply providing operational performance report data to the client base.
- Enhancing the focus on Third Party Controls: Service providers will need to review the criteria for how they address the usage of third parties in the systems, environment or control process for the scoped audit engagement. With varying levels of technology outsourcing, the scope of which third parties are critical to the environment will need to be documented, including the parameters for any scoped out third parties. The service provider will need to develop their criteria for these subservice providers and identify any controls that are ‘assumed’ to be included in the management description of the environment. A common example is an outsourced data center provider or cloud security provider, where that entity has implemented the physical and/or logical safeguarding of the datacenter/hosted environment. Those controls then complement or supplement the controls the service provider performs and should be included in management’s description of the system or narrative and not listed as a control to be tested.
While it may seem that these are mostly technical or methodology changes for what is a knockout or a penalty, the changes do affect the strategy in the external assurance boxing ring, for how to plan, scope and execute engagements. Part II of this story will focus on the implications of these changes to Third Party Service Provider or Vendor Management programs.