Moving from SSAE 16 to SSAE 18: What You Need to Know
If you are a corporation, your team is probably pretty familiar with filing a SOC report (Service Organization Controls). This is a reported that shows the controls over financial reporting. It basically has to do with reviewing the potential risks with outsourced services. This is what the SSAE 18 has to do with, reporting requirements.
The AICPA issued the SSAE 18 (Statement on Standards for Attestation Engagements) entitled Attestation Standards: Clarification and Recodification. There have been some changes since the SSAE 16 which is the important. These changes will mainly affect the service organization that the SOC report is created for, and the monitoring of other organizations that you are working with to provide services. These would be relevant to services that include some sort of financial endeavors and monitoring that needs to be controlled and managed.
Requirements of the SSAE 18
There are new requirements that came along with the instillation of the SSAE 18 in order to monitor certain activities. Some of these new requirements to improve effectiveness are:
- Holding meetings with subservice organizations and making regular visits to the location
- Conducting internal audits of the subservice organizations
- Monitoring complaints, reviews and external communications with regards to that subservice organization and taking appropriate actions if necessary; and
- Monitoring output reports.
Many times there are organizations that implement the use of subservice organizations after a thorough review of their practices and policies, checking their previous relationships with other companies and also reviewing other pertinent information. If they pass the initial vetting, many times they are then just working on their own with little oversight. This however should not be the case. Instead of just letting them run on their own, there should be periodic checks with the subservice organization and audits, and potentially even third party reviews. The SSAE 18 has provided ample information as to how to monitor the organization on a regular basis.
Now these changes do not take effect on current SOC reporting, but once May 2, 2017 rolls around they will. This has the opportunity to start monitoring and auditing third party vendors that don't currently perform them. It allows for more oversight than is currently required, and honestly, that can't be a bad thing, it only provides then the ability to be aware as to what is actually going on within the company.
It is important to note that many CPA organizations already take part in the more updated requirements of the SSAE 18, which is a good thing, because that means that are aware of the benefits of it. The new regulations were to help weed out the ones that were cutting corners, and these newly implements regulations are important because these firms were putting their clients at risk, which is something that should always be avoided. Make sure that you take a look at the new regulations to ensure that you and your organization are in compliance. It can only benefit you.