Migration to a New Audit Standard
The overarching guidance that has formed the structure of SOC reports over the past several years has been the Statements on Standards for Attestation Engagements 16 (or “SSAE 16”) for SOC 1 reports and AT Section 101 for SOC 2 reports. However, these standards will both be superseded by SSAE 18 for all reports dated and issued on or after May 1, 2017. SSAE 18, has some fairly wide-reaching implications. After a thorough review of the new guidance, Lurie has created a list of the key changes that will affect SOC engagements in future periods.
1. Vendor Management
Perhaps the most significant change is the new requirement for the service organization to evaluate the effectiveness of controls in place at the subservice organizations. Subservice organizations are those vendors so critical to the delivery of the service organization’s system that it isn’t possible to accurately describe the system without relying upon the processes, activities or services rendered by them. If a business has already undergone a SOC attestation engagement, the subservice organizations, if any, would be listed in the most recent report. Under the old guidance, the implementation of a vendor management program was considered a best practice but was not a requirement. The new guidance now requires such a program to be in place.
Under the new SSAE 18 standard, service organizations are now required to evaluate the operations, specifically the operations relevant to their system, of those vendors who are integral to the delivery of their system. For example, if a service organization were to use a vendor to process checks on its behalf, and the vendor has been deemed a subservice organization, the service organization must now periodically evaluate whether the check processing vendor is processing checks in conformity with the service organization’s expectations. This could involve one or all of the following:
- Periodic phone calls with management of the check processing company to discuss changes to the check processor’s operations.
- A thorough review of the check processor’s SOC report.
- Periodic visits to the check processor’s facilities.
- Review of the check processor’s reports to ensure completeness and accuracy.
Additionally, an audit trail would need to be created so that the service auditor can apply its test procedures.
2. Validation of Evidence
Another key change under SSAE 18 is that audit teams will be required to validate the completeness and accuracy of the reports and populations that the business provides as evidence. To accomplish this, auditors will be required to tie the evidence given back to an objective source of truth. For example, the auditor will need to obtain evidence that the list of newly hired employees provided ties back to the business’ HR/Payroll system. The auditor may ask the service organization to provide screenshots showing the query that was used to extract the list. Another example could be that the auditor obtains evidence that the results of a vulnerability scan performed by a third party hasn’t been modified. Auditors may ask the business to forward the original email received from the vendor containing the vulnerability report.
During a business’ upcoming fieldwork, the audit team will work with them to determine the best course of action. However, as businesses go through the year, they need to keep this new requirement in mind and try to get into the habit of retaining validation evidence for reports and populations used as part of their controls throughout the year. A good example of this would be to retain screenshots of the queries used to generate system user lists that are reviewed on a quarterly basis.
3. Additional Backend Requirements
There are also several new requirements related to changes and enhancements to auditors’ documentation and correspondence. Some of these changes will be seen in the engagement letters, the auditor’s report issued, etc. Others are behind-the-scenes in the way auditors document tests, the risk assessments auditors perform prior to starting the engagement, the QA checklists used, etc..
The new guidance will be required for all audit reports dated after May 1, 2017. Note that the end of the period is not the deciding factor, but rather the date of the auditor’s opinion which is generally determined by the date the report is issued.
Lurie Technology Consulting has performed thousands of attestation reports for clients in Minneapolis and throughout the country. The change to SSAE 18 brings some new challenges for service organizations. For questions or consultation on what to prepare for, be sure to contact us. The Firm is committed to making your transition as seamless as possible.
Kate Siegrist, CPA, CISA, CRISC
Director, Technology Consulting