New standard for SSAE 16 Service Organization Controls (SOC) reporting goes into effect in 2017

What Service Organizations need to know about SSAE18

In the spring of 2016, the AICPA’s Auditing Standards Board issued the SSAE 18 standard. This standard replaces SSAE 16 and becomes the guidance for performance and issuance of SOC 1 examinations and reports. The change goes into effect for reports issued after May 1, 2017.

It is important to note that the new SSAE 18 standard applies to all attestation engagements, not just service organizations (as was the case for SSAE 16). Also, the AICPA Standards Board has specified that SOC 1 reports should no longer be referred to as an SSAE16 report. Examinations and reports will now be known strictly as SOC 1.

What is the impact to my SOC 1 examination?

There are five changes to expect within SSAE 18 that affect the SOC 1 examination. The most significant change, vendor management, requires a service organization to ensure that its vendor management program for subservice providers is robust. The other major areas of change are Complementary Subservice Organization Controls, Risk Assessment Requirements, Written Assertion Requirement and more specific guidance to Evaluating the Reliability of Evidence Provided by the service organization as part of the assessment process. Frazier & Deeter’s Process, Risk & Governance team can help navigate the changes that impact you and your users.

Contact Gina Gondron at 404.573.4054.