New SOC Standards What Do the New AICPA Attestation Standards SSAE 18 Mean for Your SOC Report?

aicpa at 101

The opening principle of the code is that membership, and therefore adherence, to the code is voluntary. This means that an accountant is never under a legal responsibility to adhere to the code, and can renounce the code and membership in the AICPA at any time. While there are a number of offerings of SOC reports from the AICPA, we will focus on SOC 1 and SOC 2, as these are the most common from the SOC suite. This site is brought to you by the Association of International Certified Professional Accountants, the global voice of the accounting and finance profession, founded by the American Institute of CPAs and The Chartered Institute of Management Accountants. A few key changes include the SOC acronym change from Service Organization Controls to System and Organization Controls, the alignment of the Trust Services Criteria with COSO 2013 Framework, and adding new points of focus and criteria.

aicpa at 101

Restricting access to the facility could be via card key, biometrics, brass key, or full-time security guard. The service organization owns and is responsible for its control activities, though the auditor can help identify the control objectives and control activities in place at the service organization. SOC stands for “System and Organization Controls.” These were formerly Service Organization Control reports. SOC is a suite of reports from the AICPA that third parties (CPA firms) can issue in connection with system-level controls at a service organization.


All SOC reports issued on or after May 1, 2017, must adhere to the new standard—even if the attestation engagement takes place before the effective date. For example, if the attestation engagement is conducted in March 2017, but the report is issued on May 1, 2017, the report must still comply with SSAE 18. Next, you will need to speak with your auditor about the scope of the SOC audit and gather all relevant information on elements such as tech stacks, data flows, infrastructure, business processes, and people. Depending on which SOC report you choose, you will also need to determine which Trust Service Categories to include.

  • This new requirement now requires that service organizations not only identify the critical organizations they rely on to provide their services, but also monitor that they, too, are complying with all relevant standards.
  • Controls are then identified to meet the control objectives and those are what are tested and included in the examination.
  • SSAE іѕ аn internationally rесоgnіzеd ѕtаndаrd dеvеlореd by thе Amеrісаn Institute of Certified Publіс Accountants (AICPA).
  • Regarding «section 101», which is the section number within the codification standards, it is essentially a section that provides a framework for «attest» engagements performed by practitioners.
  • In the SOC 2 audit report, the auditor will provide a written evaluation of the service organization’s internal controls.

A SOC 1 report is designed to address internal controls over financial reporting, while a SOC 2 report addresses a service organization’s controls that are relevant to their operations and compliance. At Linford & Company, we can help determine the correct report or reports to meet your needs. The clarification eliminates any uncertainty around the appropriateness of such requests. Service organizations should expect the service auditor to request to see all relevant reports on the internal audit function and regulatory examinations. Make sure you can identify vendors that provide services critical to those you provide to your user entities and are necessary to achieving the service organization’s control objectives.

How Can We Start Making a SOC 2 Compliance Checklist?

However, by excluding specific details of controls and results during testing, these SOC reports can be made available to the general public and are often used for marketing purposes. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings. We discuss above the difference between a SOC 1 and a SOC 2, but within each of these examinations, the reports can be a type I or a type II. SOC 1 and SOC 2 reports can have a lot of overlap in the control activities that are covered in the report.

You take one section at a time and then move on to the next one, all over the course of 18 months. The Center is a voluntary membership organization for firms that perform or are interested in performing ERISA employee benefit plan audits. SSAE іѕ аn internationally rесоgnіzеd ѕtаndаrd dеvеlореd by thе Amеrісаn Institute of Certified Publіс Accountants (AICPA). It еffесtіvеlу replaced SAS 70 as the аuthоrіtаtіvе guіdаnсе fоr rероrtіng оn hоѕt organizations – аnd is a rесоgnіzеd mark of IT ѕеrvісе ԛuаlіtу.

What was the purpose of SSAE 16?

Each new Statement on Standards for Attestation Engagements  helps to simplify and converge attestation standards to unify with international standards and new technology. In 2016, the AICPA updated the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) to No. 18 (SSAE 18). This change was made to simplify and converge attestation standards related to SOC 1 audits. SSAE 18 has also expanded to cover more types of attestation reports (including SOC 2), whereas SSAE 16 was limited to only SOC 1 reports. Of course, there is no certainty as to whether the general public will ever embrace the new SOC reporting nomenclature. Perhaps they will prefer more intuitive terms, such as SSAE 16, ISAE 3402, WebTrust, SysTrust, and AT 101, over the use of SOC reporting categories.

aicpa at 101

SOC 2 reports, for which you can receive either a SOC 2 Type 1 or Type 2, are part of the AICPA Service Organization Control (SOC) framework. Specifically, the CPA must identify the topic or statement that is being evaluated and describe the nature of the engagement. When describing the nature of the engagement, the CPA should address the procedures that were performed as well as the standards applied to the engagement. Attest documentation usually needs to confirm that the process by which the organization has developed its prospective financial statements was considered in determining the scope of the examination. Each of these areas provides the key information that helps determine if a service organization meets the Trust Service Criteria. Service organizations have become increasingly invaluable to growing organizations for a range of vital services.

AT Section 101 and SOC 2 — What You Need to Know and Why

The two engagements that we encounter the most are AT-C sec. 205 (SOC 1, SOC 2, HITRUST, CSA) and AT-C sec. 320 (SOC 1). AT-C sec. 205 is applicable for independent subject matter that has been published that an independent auditor can use to attest to the fact that the client is complying with the controls in CSA or HITRUST. AT-C sec. 320 deals specifically with reporting on internal control over financial reporting.

  • In recent times, many cloud providers are currently undergoing a SOC 1 report which is specifically intended on controls over financial reporting.
  • Many organizations that don’t have a clear relationship or nexus to internal controls related to financial reporting (a concept known as ICFR), should consider undertaking a SOC 2 assessment, or possibly even a SOC 3 assessment.
  • SSAE 16 Tуре II аudіtѕ confirm thе highest ѕеrvісе lеvеl attainable fоr a virtual server hоѕtіng соmраnу.
  • Much of this is based on the fact that a large and growing number of service organizations are identified as technology entities, thus the SOC 2 framework is more applicable to their business environment.
  • SOC 3 reports are also based on AT section 101 of the AICPA professional standards and follow the Trust Services Principles.

The goal of an organization is to have the type II cover 12 months and then have annual type II reports to have continual coverage of controls. There is some flexibility around the controls that can be included in a SOC report. While the AICPA has set criteria that have to be tested in a SOC 2, there can still be flexibility on the controls in place to meet the criteria. For a SOC 1, there are no set criteria that have to be met, but rather control objectives have to be defined that address the services being provided. Controls are then identified to meet the control objectives and those are what are tested and included in the examination. SSAE 18 doesn’t represent a major overhaul of the existing attestation standard; it’s a clarification and recodification of SSAE 16.

Leases standard: Tackling implementation — and beyond

They are also required to obtain evidence that the information provided is reliable. The SOC 1 standard used to say “formal or informal” risk assessment process, but now, the SOC 1 is asking auditors to understand management’s process and assess if it is complete and correct. The SOC 1 audit now requires that auditors identify whether all risks were appropriately identified and addressed and determine what is missing. If a formal risk assessment process has not taken place, the auditor will likely uncover gaps and insufficiencies. The AICPA is making some changes to the way we define attestation engagements, like the SSAE 16. Even though change can be challenging, this update known as SSAE 18, is helping to simplify and converge attestation standards to unify with international standards.

With over 25 years practical experience in information systems and technology risk and controls, he is an expert in identifying and reducing information technology risk throughout an organization. Your decisions should also factor in the size, function, and age of your organization, with SOC 1 being an entry-level for those who don’t deal in large swathes of customer data and SOC 2 being a comprehensive investigation into the trustworthiness of a company. In a world where data is becoming increasingly valuable to companies and cybercriminals alike, ensuring that providers operate ethically and legally when handling that data is more important than ever.

Генерация пароля