Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, effectively replaces SSAE No. 16 and SAS 70 as the authoritative guidance for reporting Service Organizations. SSAE No. 18 was developed by the Auditing Standards Board of the AICPA, as part of an effort to unify U.S. control standards with those of the International Auditing and Assurance Standards Board. It was formally issued in April 2012 with an effective date of June 15, 2011. This standard signifies that a Service Organization (Vendors) has been through an in-depth audit of their control processes by Independent Auditors. This is especially important in cases where data is regulated and/or sensitive where it is essential to know that organizations managing this data have detailed and well-documented controls in place that preserve the safety and privacy of data being stored, processed and transmitted. Organizations that offer services to highly regulated industries, such as banking, insurance, healthcare and manufacturing are often required by their clients to provide assurance of their control procedures.
Service Organizations can receive significant value from having a SSAE 18 examination performed. Passing a SSAE 18 is essential for compliance with regulatory requirements. But there’s more, if you own a company that sells outsourced services that can significantly affect the financial health of client companies (such as payroll services, data management, or claims processing), getting a clean bill of health form a SSAE 16 audit differentiates your company from your peers by demonstrating that your company has achieved a defined set of control objectives relevant to your specific industry, your controls are effectively designed, and, in some cases, that the controls are operating effectively over a period of time. It sends a strong signal of quality and trustworthiness to your clients. Now sit on the other side of the table. If your company uses outside vendors, a SSAE18 audit confirms that these companies are handling your most sensitive and valuable information have the procedures and equipment in place to give you the faith and assurance that data storage, firewall configuration, database access, data transmissions, backup/recovery, access controls and other systems are up to date and appropriate.
The AICPA has introduced Service Organization Control Reports and identified 3 different attestation engagements (SOC 1, SOC 2, SOC 3) that involve reporting on controls at a service organization. SSAE 18 is the standard under which SOC 1 is performed.
SOC1, SOC 2, and SOC3 audit differences
SOC 1 (SSAE 18) – issues an opinion about controls at the service organization that may affect assertions in the user entities’ financial statements, through any one of two types of reports:
Type I SOC1 – The opinion deals with the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Type II SOC 1 – The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time.
SOC 2 – The opinion on an examination of a service organization’s description of its system and controls that are likely to be relevant to the security, availability, or processing integrity of a service organization’s system or the confidentiality or privacy of the information processed by the system.
SOC 3 – These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. SOC 3 Reports cover the same subject matter as SOC 2 Reports, but with less detail, and may be freely distributed to potential customers.
LPG is as a Certified Public Accounting firm who is well qualified to assist Outsourcing Providers. We offer a full cycle of audit and consulting services related to SSAE 18 Reports, including SOC 1 Type-I and Type-II, and SOC 2 and SOC 3 Reports.
We use a proven methodology in the performance of all our SSAE16 audits and SOC 2 and SOC 3 audits, which ensures our clients receive consistency in service and delivery. This proven methodology streamlines the audit process resulting in minimal business interruption and full compliance with the audit guidance and related interpretations. LPG has created a well balanced service model that accommodates the client’s SSAE 18, SOC 2 and SOC 3 compliance requirements in all phases of the engagement – from Pre-Assessments, Remediation Process, Attestation Engagements including SSAE 18 Type-I and Type-II. Our service models are flexible to accommodate client requirements, timelines and budgetary constraints.
We are staffed with highly experienced Certified Public Accountants (CPA), Certified Information System Auditors (CISA) and Certified Internal Control Auditors (CICA), who understand your financial controls, IT and Security Control environments. This resource structure enables us to staff the client’s SSAE 18, SOC 2 and SOC 3 engagements with the right resource mix. Our clients appreciate the expertise that we bring to the table, their CFO’s like our reasonable pricing/fixed fees approach and their IT and Process Owners want us to come back as we make these audits as painless as possible.
We also believe that effective communication is central to having a successful audit. At LPG, we strive to build relationships of trust with the organizations we audit and other stakeholders that have a direct interest in the audit. We prefer to hold frequent status updates with those we audit during on-site fieldwork so that we may discuss the progress of our examination and the interim results of our testing. Nobody likes surprises resulting from a lack of communication, especially for critical audit examinations.
SSAE 16, SOC 2 and SOC 3 Reports Added Value
SSAE 18, SOC 2 and SOC 3 reports (unqualified) are the best way for the Service organizations to demonstrate solid business, fiancé and IT practices with appropriate checks and balances are appropriately implanted and attested by Independent Auditors. The Report can help a Service provider generate trust in it systems and assist customers with their own financial reporting.
More than as a compliance obligation, now service organizations are utilizing organization’s successful status of SSAE 18, SOC 2 and SOC 3, as competitive edge and showcasing such status as a distinctive advantage over other vendors.