Historically, the SOC 1 has been referred to as an SSAE 16. SSAE stands for Statement on Standards for Attestation Engagements. For all reports dated on or after May 1, 2017, SSAE 18 replaces SSAE 16. While the concepts remain substantially the same, SSAE 18 attempts to clarify and recodify the associated attestation standards. SSAE 18 will now refer to all attestation engagements and therefore referring to a SOC 1 engagement as an SSAE 16 engagement will no longer be appropriate. Changes that will affect service organizations are relatively insignificant. Areas of clarification include the following:
Monitoring controls of subservice organizations and documentation of subservice organizations controls (in the case of utilization of the carve out method).
· Removal of any non-key controls that are not necessary to achieve associated control objectives. In other words-simplification.
· Establishment of a minimum set of criteria required in management’s assertion.
The standard also has a nominal impact on service auditors (i.e. Assure or other vendors). The update requires service auditors to assess the reliability of populations and other reports provided to them.
The good news is these requirements were basically outlined in the former SSAE 16 standard and we have typically included in our client’s reports. If you have any questions regarding the changes please feel free to reach out directly to me at firstname.lastname@example.org.