PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
Business person looks at financial reports.
Author Picture
Listen to: "Attestation Matters Regarding SOC 1"

The Importance of Attestation Standards Like SOC 1 In Audits and Reviews

Attestation standards, in the world of auditing, basically set the ground rules for official reviews. According to the American Institute of CPAS (AICPA), a well-planned set of specific attestation standards serves to “establish requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter ordinarily other than financial statements.” One such set of key standards for service organizations includes the Statement on Standards for Attestations Engagements 16 (SSAE 16), which is often used as the guidepost for those tasked with performing a SOC 1 audit. While SSAE 16 has become the standard, it was not the original set of standards set forth by the AICPA.

The SAS 70 was the original set of standards used by the AICPA for financial reporting, but “the newly formed SOC framework placed great emphasis on the ‘internal controls over financial reporting’ (ICFR) component for service organization reporting, thus advocating service organizations to opt for a SOC 1 (for which you can obtain an SSAE 16 Type 1 or Type 2 report) only if your organization has a true relationship and/or nexus with ICFR.” If you have previously headed audits and financial reviews for your organization, you are probably quite familiar with the use of these standards to help guide you toward successful results. You probably also realize that, when auditing financial records, there is always room for clarification and improvement to help streamline the process and garner the best results for your organization and your clients.

Clarification and Recodification Are on the Horizon with the New Release of SSAE 18

As SSAE 16 improved upon SSA 70, the upcoming SSAE 18 update features key changes to SSAE 16 that promise to “clarify and formalize requirements for performing and reporting on the examination, review, and agreed-upon procedures engagements to expand the potential of what an SSAE-16 can report on.” The Auditing Standards Board (ASB) body of the AICPA recently undertook the mission of further clarifying the already comprehensive SSAEs through its Clarity Project to improve the process. The resulting SSAE 18 has been available for review since April 2016 and becomes effective May 1, 2017.

SSAEs are further broken down into codified sections, which use the identifier of “AT-C.” One of the goals of the ASB in the SSAE 18 update was to help recodify and clarify the different sections within SSAE 18, and they used the following drafting conventions to meet their goals:

  • Set specific goals for each AT-C section.
  • Provide definitions, when necessary and appropriate, in each AT-C section.
  • Separate requirements and explanatory materials to make it easier to distinguish them.
  • Assign numbers to applications and explanatory materials, using an A- prefix, before presenting them following the requirements section.
  • Format using bullets and numbered lists to enhance readability.
  • Include, when necessary and appropriate, special considerations regarding examination, review, or agreed-upon procedures for government entities within the text of the AT-C sections.

SOC Audits and the Restructuring and Convergence Factors

The ASB continues its efforts to restructure sections to increase convergence with the International Auditing and Assurance Standards Board. The following sections address the most recent strides that the ASB has made to this end:

  • AT-C Section 105 – Concepts Common to All Attestation Engagements
  • AT-C Section 205 – Examination Engagements
  • AT-C Section 210 – Review Engagements

The ASB’s goal in improving convergence is to expand the applicability of any AT-C section to a particular engagement, depending on the service provided and the subject matter of the engagement. With this restructuring, the section will serve as a standard for anything that falls under a particular type of service.

SSAE 18 Responds to the Needs and Requests of Third-Parties

While financial reporting is the heart and soul of SOC 1 reporting for both Type 1 and Type 2, an increasing number of third-parties are requesting additional information in SOC 1 reviews. These attestation matters extend beyond the line of basic historical financial statements and may include some of the following:

  • A possible forecast for projected financial information associated with a loan application
  • A deeper examination of an entity’s compliance with relevant rules, laws, regulations, requirements, contracts and agreements
  • A review of pro forma information presented to a potential creditor or investor
  • An exploration of the effectiveness of an entities security controls over an information technology system operating in a cloud-based environment
  • SSAE 18 may also address issues involving additional non-financial statements, such as a statement on greenhouse gas emissions. Each of these evolving relevant attestation engagements serve to expand and enhance the quality of the SOC 1 for service organizations and clients.

Significant SSAE 18 Changes That May Affect Your Business

In addition to basic enhancements and restructuring measures already mentioned, SSAE 18 also introduces new significant changes that may affect your business, including the following:

  • Separate Discussion of Review Engagements: This separation clearly differentiates services per a review of engagements.
  • Required Representation Letters: SSAE 18 now requires a review or audit practitioner to request a written representation letter in all attestation engagements.
  • Risk Assessment of Examination Agreements: Under SSAE 18, practitioners now must dig deeper to gain a more in-depth understanding of the development of the subject matter. This new rule encourages the practitioner to become more aware of the risks of any material misstatement in the examination engagement.
  • Incorporation of Detailed Requirements: A few of the key detailed requirements under SSAE 18 include the need for an engagement letter or the equivalent of written reviews performed in reviews and examinations. The ASB believes that this addition offers a higher level of assurance.
  • Scope Limitation Imposed by the Engaging or Responsible Party: Based on the practitioner’s assessment of the effect of the scope limitation, under SSAE 18, the review or engagement practitioner needs to express a qualified opinion, disclaim an opinion, or withdraw from the engagement.

Learn More About SSAE 16 and How the SSAE 18 Release Will Affect Your Business

Although you do have a fair amount of time to become familiar with SSAE 18 and how it will affect your business, it never hurts to get a good head start so your team is familiar with the process when it counts. I. S. Partners, LLC. features a team of SOC 1 practitioners who have already studied the changes and can help you prepare. Reach out via phone call at 215-675-1400 or email to a knowledgeable customer service representative who can help you learn more about SSAE 18 or to schedule a consultation.

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal