Changes Ahead for SSAE-16

Share Button

New guidance has been provided for the Service Organization Control (SOC) 1 report also known as the Statement on Standards for Attestation Engagements (SSAE) No. 16 (SSAE-16). Next month, the new SSAE-18 will replace the current SSAE-16 report and will be effective for reports dated on or after May 1, 2017. SOC reports provide insight into a provider’s operations to instill confidence in their services. Independent auditors conduct SOC attest engagements in accordance with the American Institute of Certified Public Accountants (AICPA) standards. While voluntary, SOC reports are highly regarded by customers, auditors, and various stakeholders to support compliance and oversight activities.

The SSAE-16 focused on internal controls over financial reporting. Organizations that can obtain these reports include those with services related to payment card processing, financial applications, and online document management repositories that could house financial files.

The SSAE-18 expands on the SSAE-16 to include the controls of Sub-Service Organizations (SSO), which are “service organizations used by another Service Organization (SO) to perform some of the services provided to user entities’ internal control over financial reporting (SSAE 16/SOC 1) (AICPA).” The term “user entities” refers to the customers of the services obtained from a service provider. Overall not much change is required on the part of the SO.

The main changes for the newly developed SSAE-18 will provide additional clarity of guidance and oversight of SSO activities that contribute to the SO’s services. There are various changes within the SSAE-18 format, which include description details for the SSO, monitoring controls by the SO for the SSO’s relevant controls, and evidence reliability guidance among other related details.

Furthermore, auditors should update their templates and methodologies prior to the May 1, 2017, effective date. SOs should also be aware of the new types of information that will be requested to coordinate with SSOs to support audit responses. User entities can anticipate these additional details being included in future SOC 1/SSAE-18 reports that they obtain and review for compliance efforts.

Learn more about SOC reports in our SOC Reports Overview. Sign up for our SOC Reports 101 webinar to learn more about this subject and ask questions on behalf of your organization.

About Natasha Barnes

Natasha Barnes has written 1 post in this blog.

Natasha Barnes is an IT risk and compliance professional with a focus on IT audit readiness and remediation. She has led large scale remediation efforts for federal clients responding to IT findings from Financial Statement Audits. On these engagements, Natasha became well known for her diplomatic efforts in facilitating discussions with stakeholders across IT and Financial departments. She established an understanding of complex technical issues with these functional team members and helped them to collaboratively execute remediation plans. She has also been involved with establishing and facilitating continuous monitoring programs, which contributed to the closure and severity reduction of several IT findings. In addition, Natasha has experience with security risk analysis, disaster planning, and project management. She holds Certified Associate in Project Management (CAPM) and Certified Information Systems Auditor (CISA) credentials. Natasha has led teams in executing Office of Management and Budget (OMB) A-123 compliance assessments and she has contributed to a Statement on Standards for Attestation Engagements (SSAE-16) engagement. She also led a third party system audit readiness assessment based on National Institute of Standards and Technology (NIST) 800-53 in anticipation of upcoming audit scrutiny. Natasha has developed and instructed trainings for her clients and colleagues on subjects related to Financial Statement Audit IT protocol, Federal Information Security Management Act (FISMA), Federal Information System Controls Audit Manual (FISCAM), NIST, and OMB A-123.

View Archives

Blog Authors