This is a guest post that was co-written by Mike Mellor, CPA and Nina Drury from DiSanto, Priest, & Co. in Warwick, RI. DiSanto, Priest, & Co. is a professional advisory firm that has been in business for over 50 years providing a range of services to their clients. These services include Accounting and Assurance, Tax Planning and Compliance, Management Consulting, and Business Advisory services. For more information, please visit the DiSanto, Priest, & Co. website at http://www.disantopriest.com or by calling them at (401) 921-2000.
In April 2016, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board (ASB) issued the Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.
If your organization is routinely involved in the process of obtaining a SOC report or your organization is thinking about beginning the process of obtaining one, you may wonder what changes the new SSAE 18 will bring to the process.
While there are changes that will need to be implemented on the audit practitioner side, the biggest change that will affect the service organization for which the SOC report is being prepared, involves the monitoring of subservice organizations. SSAE 18 defines a subservice organization as a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting (SSAE No. 16 – SOC 1). The monitoring of subservice organizations is an area that service organizations have struggled with in the past and where control issues are often found during the SOC reporting process.
SSAE 18 is requiring that controls be implemented at the service organization that monitor the effectiveness of controls at the subservice organization. SSAE 18 highlights the following monitoring activities that could be implemented at the service organization to achieve this:
- Reviewing and reconciling output reports,
- Holding periodic discussions with the subservice organization,
- Making regular site visits to the subservice organization,
- Testing controls at the subservice organization by members of the service organization’s internal audit function,
- Reviewing Type 1 or Type II reports on the subservice organization’s system, and
- Monitoring external communications, such as customer complaints relevant to the services by the subservice organization.
In essence, a service organization should implement a robust third party vendor management policy, if one is not already in place, and ensure that the policy is being followed. Very often, service organizations vet the subservice organization initially when they are evaluating which subservice organization to partner with. However, it is just as important to ensure that subservice organizations are monitored on an ongoing basis using the methods outlined in SSAE 18.
SSAE 18 is effective for SOC report opinions dated on or after May 1, 2017 and early adoption is permitted. For any questions on how to prepare for these upcoming changes, please feel free to contact us or DiSanto, Priest, & Co. and visit our SOC Reporting Services page for assistance in preparing for the requirements today and the expectations of tomorrow.