The Clarity Project: SSAE-18 Essentials

Author: NICSA

With an increased industry focus on oversights and controls, usage of System and Organization Control (SOC) reports has spiked—leading the American Institute of Certified Public Accountants (AICPA) to streamline its corresponding guidance through a recent effort known as The Clarity Project.

On a recent #WebinarWednesday, Vincent Concialdi, Partner, Grant Thornton LLP, shared insights on the project and its resulting changes to the auditing Standards For Attestation Engagements (SSAE) under SSAE-18: Attestation Standards, Clarification and Recodification.

“It is very important for service auditors as well as service organizations to keep abreast of all of the changes to make sure we’re complying with firm and technical standards,” Concialdi said.

Issued by the AICPA’s Auditing Standards Board (ASB), SSAE-18 removes redundant and contradictory guidance and aligns standards in the United States with those internationally. It was released April 2016 and is effective for practitioner reports dated on or after May 1, 2017.

Information on the new standards proved valuable to webinar attendees, who took an online poll during the session to describe how their organization engages in the SOC process. Twelve percent of attendees said their organization is a service provider that undergoes SOC examinations, and 22 percent said their organization is a recipient/reviewer of reports from service providers. The majority, 64 percent, said their organization both undergoes SOC examinations and reviews reports from service providers.

AICPA Branding of SOC Reports
In addition to the release of SSAE-18, Concialdi noted that AICPA rebranded its SOC reports.

“Previously, SOC was an acronym that stood for Service Organization Control reports, and it has changed to represent System and Organization Control reports,” Concialdi said. “It sounds like an easy and simple change, but the goal was to make the definition more comprehensive.”

Furthermore, the SOC 1, SOC 2, and SOC 3 reports have been given more comprehensive names, as follow:
• SOC 1 – SOC for Service Organizations: ICFR
• SOC 2 – SOC for Service Organizations: Trust Services Criteria
• SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report

Concialdi said SSAE-18 serves to “centralize or consolidate guidance applicable to attestation engagements” into the following sections beginning with AT-C (which stands for clarified attestation standards):

• AT-C Sec. 105 – Concepts Common to All Attestation Engagements
• AT-C Sec. 205 – Examination Engagements
• AT-C Sec. 210 – Review Engagements
• AT-C Sec. 215 – Agreed-Upon Procedures Engagements
• AT-C Sec. 305 – Prospective Financial Information
• AT-C Sec. 310 – Reporting on Pro Forma Financial Information
• AT-C Sec. 315 – Compliance Attestation
• AT-C Sec. 320 – Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

“Look at it as building a house—or having a foundation for a house with many different layers on it,” Concialdi said. For example, he said, every examination starts with the “foundation” of AT-C Sec. 105: Concepts Common to All Attestation Engagements.

“After starting with Sec. 105, you move on to adding sections 205, 210, or 215; depending on what type of an engagement it is,” Concialdi said. “If it’s an examination—like a SOC 1, SOC 2 or SOC 3—we would add Sec. 205. If it’s a review or agreed-upon procedure, we would add 210 or 215. After that layer is added, we would add additional layers, ranging from 305-320.”

Summary of Changes
Though the full SSAE-18 standard is several hundred pages long, Concialdi highlighted some of the changes that will make an impact on NICSA members.

A significant change is the introduction of the Complementary Subservice Organization Control (CSOC). “It represents a control that the service organization expects the subservice organization to have in place,” Concialdi said. The CSOC must be included in Section III: Description of the System.

SSAE-18 also introduces new responsibilities for monitoring subservice activities, a focus on key controls required to achieve objectives and the establishment of minimum criteria for management’s assertions.

The new standard further provides emphasis on the definition of an internal audit, outlining the service auditor’s responsibility in evaluating information provided by the service organization.

“That’s the reliability of information—we want to make sure that the service auditor is actually able to validate the populations and controls, and that should be disclosed in the report as well,” Concialdi said.

Finally, SSAE-18 introduces the concept of Risk of Material Misstatement as well as significant changes to the service auditor’s opinion—including a new format, references to CSOCs and an expanded restricted-use paragraph that includes auditors who report on internal controls over financial reporting (ICFR).

Members should prepare for further changes to go into effect specific to SOC 2 reporting.

“As it relates to the SOC 2 reports, the AICPA has also been very busy,” Concialdi said. “It has released revisions to the trust services principles and criteria, with the most recent release earlier this year, and these changes will be incorporated into the SOC 2 report that will be issued in 2018.”

NICSA thanks Northern Trust for sponsoring this webinar. To view an archived version, visit <link here>, and be sure to share your thoughts with us.

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560