Many service organizations (e.g., payroll processors, data centers, facilities management companies), for reasons similar to why their clients contract with them, will contract with third parties to perform certain functions or services on their behalf. The AICPA refers to these third-party vendors of service organizations as “subservice organizations.” Recognizing the impact that both service organizations and their subservice organizations can have on the financials of the service organizations’ clients (a.k.a., user organizations), the AICPA established Service Organization Control (SOC 1) examinations. Within SOC 1 examinations, subservice organizations are defined as third parties contracted by service organizations to perform activities or provide services to the service organizations that could have financial implications to the clients of the service organizations. Therefore, the internal controls at these organizations are critical to the clients of the service organizations. To promote greater assurance over the financial information clients receive from their service organizations, knowing such could be dependent on the subservice organizations, the AICPA issued Statement on Standards for Attestation Engagements (SSAE) 18, which supersedes SSAE 16. SSAE 18, in comparison to SSAE 16, more explicitly addresses the need for service organizations to assess controls at subservice organizations and the controls residing within the service organization to complement the sub-servicer organizations’ controls (complementary controls).
These are the controls that management of the service organization assumes, in the design of the service organization’s system, which will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.
The most significant change from the SSAE 16 requirements to the SSAE 18 requirements for service organizations that use a subservice organization is that the service organization has to put more emphasis on the monitoring of the effectiveness of controls at subservice organizations. Not only does the service organization need to include the subservice organization’s control detail in management’s description of the system, but they also have to monitor the effectiveness of the control at the subservice organization.
Management’s description of the service organization’s system and the scope of the service auditor’s engagement are required to include controls at the service organization that monitor the effectiveness of controls at the subservice organization. These monitoring controls should include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. SSAE 18 provides the following monitoring control suggestions:
- reviewing and reconciling output reports
- holding periodic discussions with the subservice organization
- making regular site visits to the subservice organization, testing controls at the subservice organization by members of the service organization’s internal audit function
- reviewing type 1 or type 2 reports on the subservice organization’s system prepared pursuant to this section or section 205
- monitoring external communications, such as customer complaints relevant to the services by the subservice organization
Remember the Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification will be in effect for reports dated on or after May 1, 2017.
Please contact us with questions as you prepare for SSAE 18.