Statement on Standards for Attestation Engagements (SSAE) No. 18, AT-C Section 320, “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting” replaces SSAE 16, “Reporting on Controls at a Service Organization” (AT Section 801). Although an auditing standard, SSAE 18 significantly clarifies the responsibilities of service organization management, particularly service organizations outsourcing to another service organization, i.e., subservice organization. Service organization auditors will expect management to describe subservice organization controls and activities to monitor them, as applicable.
Management of all service organizations will be expected to attest to the Service Organization Controls (SOC) 1 examination subject matter—system description, control objectives, risk assessment, control design and, for Type 2 examinations, control operating effectiveness—against relevant criteria as a precondition to the engagement. In other words, SSAE 18 clarifies that management is responsible for understanding, documenting and acknowledging the organization’s control design adequacy and operating effectiveness, as applicable, in preparation for the auditor to perform its independent examination. Scrupulous planning and adequate resource allocation are more important than ever. SSAE 18 is effective for SOC 1 examination reports dated after May 1, 2017.