As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.
The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.
SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report (but issued under the SSAE 16 guidance) and effective as of June 2011. SSAE 18 was then issued May 2017 and will be effective as of December 2018, and apply to all SOC 1 reports issued thereafter.
Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.
SSAE-18 is effective for all reports issued after May 1, 2017.
SOC Reporting Guide
A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The
SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16, and, obviously the relic of audit reports, SAS 70.
Another series we will have periodic posts about will be related to potential controls that would be expected to be in place, almost regardless of the entity in question. This
There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of
Introduction SSAE 16 and ISAE 3402 are two widely used auditing standards for service organizations. Many assume SSAE 16 is just the U.S. version of the international ISAE 3402 standard,
If you have never been audited before, as is the case with many service organizations, you are probably wondering what kind of documentation will I need to give the auditors?