The new service organization reporting standard, Statement on Standards for Attestation Engagements (SSAE) No. 18, is now in effect and all organizations moving from the previous standard (SSAE 16) must report using the new standard  for reports dated on or after May 1, 2017.  SSAE 18 supersedes SSAE 16 with the professional guidance on performing the service auditor's examination.  These services must be performed by a licensed CPA firm with the appropriate expertise in all areas.

Bonadio is dedicated to providing the most effective and comprehensive SSAE 18 assessments for our diverse group of clients.  We bring the depth of experience of the Big 4, without the price and disconnected services being performed by junior staff members.  Our practice partners are fully engaged and work alongside a team of highly knowledgeable internal process auditors who are familiar with every nuance, control requirement from the AICPA, and technology and assurance system to deliver examination solutions that meet your, your clients', and your auditor’s needs.

We never approach a SSAE18 or AT-C 205 examination as one size fits all, but reasonably customize the examination to each unique client, market, and reporting need.  We deploy a methodology that is the best in the business by offering flexible and practical approaches that are based on each client's unique operating processes and infrastructure.

Service Organization Control (SOC) Reports Detail 
There are Three Report Standards – SOC 1, SOC 2, and SOC 3

SOC 1 Reports will be prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization (AT-C 320).   The purpose of the SOC 1 report remains unchanged under the new standard, by providing a means of reporting on the system of internal control for purposes of complying with internal control over financial reportingSOC 1 reports are restricted use reports, which mean use of the reports is restricted to:

  1. Management of the service organization (the company who has the SOC 1 performed),
  2. User entities of the service organization (service organization’s clients), and
  3. The user entities’ financial auditors (user auditor).  The report can assist the user entities’ financial auditors with laws and regulations such as the Sarbanes-Oxley Act.  A SOC 1 enables the user auditor to perform risk assessment procedures and, if a Type II report is performed, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.

SOC 2 Reports are examination engagements performed under SSAE 18 (AT-C 205) in which the service auditor reports on controls at a service organization other than those relevant to the user entity’s internal control over financial reporting.  Those controls relate to security, availability, processing integrity, confidentiality, and privacy.  In a Type 2 engagement, the report is supplemented by a description of the tests of operating effectiveness and their results. Trust services criteria serve as the criteria for SOC 2 engagements. They are established in TSP 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.  While SOC 2 reports have restrictions similar to a SOC 1, SOC 2 reports can also be used by management of prospective user entities in performing due diligence who intend to use the information for vendor selection.

SOC 3 Reports, A SOC 3 engagement, similar to a SOC 2 engagement, is an examination performed under SSAE No. 18 (AT-C 205) in which a service auditor reports on controls at a service organization other than those relevant to the user entity’s internal control over financial reporting. Those controls relate to security, availability, processing integrity, confidentiality, and privacy. As in a SOC 2 engagement, the trust services criteria are used to assess management’s assertion. The difference between a SOC 2 engagement and a SOC 3 engagement is that a SOC 3 engagement does not provide the detailed description of tests of controls and results that is included in a SOC 2 report. A SOC 3 report is not a restricted-use report.

Report Types
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report.  There are two types of Service Auditor's Reports: Type I and Type II.

A Type I report describes the service organization's description of controls at a specific point in time (e.g., as of June 30, 2018).  A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g., for the period January 1, 2017 to June 30, 2017).  The contents of each type of report is described in the following list:

Report Contents for Type I and Type II Reports

  1. Independent service auditor's report (i.e., opinion).
  2. Service organization assertions
  3. Service organization's description of its system (including controls).
  4. Information provided by the independent service auditor; includes a description of the service auditor's tests of the design and/or operating effectiveness and the results of those tests.
  5. Other information provided by the service organization (e.g., glossary of terms).

The Type 1 Report
In a Type I report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date.

The Type II Report
In a Type II report, the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented throughout the specified period; (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed throughout the specified period to achieve those control objectives; and (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives.

CLOSE