Service Organization Controls
What is Service Organization Controls (SSAE 18)?
If a service company provides a service to another organization that could influence its financial position, data, or security, then the original service company may be required to have an SSAE 18 engagement or audit performed. The SSAE 18 audit provides assurances to clients of the service organization that pertinent processes and systems are in place to mitigate the risks associated with having a third-party partner.
The SSAE 18 engagement and the associated audit process has become the "de facto" standard for service organizations. Accordingly, more service organizations are complying with this new set of standards. As a result, the SSAE 18 and associated audits are becoming synonymous with the "good housekeeping seal of approval".
SSAE 16 vs. SSAE 18
Effective May 2017, SSAE 18 supersedes SSAE 16. SSAE 18 clarifies and formalizes requirements for performing and reporting on the examination review, and agreed-upon procedures engagements to expand the potential of what an SSAE 16 can report on. In addition to processes related to financial statements, SSAE 18 can report on an entity's compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures - just about any outsources service where 3rd party validation would be beneficial and add assurance.
If you never performed a risk assessment in the past, you will most likely need to think about implementing one. With SSAE 18 there is an increased focus on the performance of a risk assessment at least annually.
Why is SSAE 18 Compliance Necessary?
In this post-Enron era, there are a number of reasons why more service organizations are being asked to become SSAE 18 compliant. However, it primarily stems from the surge of legislation, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, and most notably, the Sarbanes-Oxley Act of 2002 (SOX).
Collectively, these rulings advocate protection of privacy, corporate accountability, and establishment of internal controls throughout the organization. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions.
Applicable Service ORganizations...
Some examples of industries that may require SSAE 18 include:
SSAE 18 SOC Reports...
To provide a standard framework for CPAs to examine controls and to help management understand the related risks, the American Institute of Certified Public Accountants (AICPA) has established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC3 reports). Before diving into the quagmire of report options and type of engagements surrounding the SSAE 18 reporting and its associated audits, the key question for the service requiring the engagement needs to be - who are the final audiences for this report?
The difference of the aforementioned reports and the types of engagements are significant and address different aspects of the service organization.
SOC 1 Report
Generally speaking, reports on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting: SOC 1 engagements are performed under SSAE 18, Reporting on Controls at a Service Organization.
SOC 1 reports are examination engagements undertaken by a service auditor to report on controls at an organization that provides services to user entities when those controls are likely to be relevant to a user entity's internal control over financial reporting. There are two types of SOC 1 reports.
- Type I - A report on management's description of the service organization's system and the suitability for the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type II - A report on management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
SOC 2 Report
SOC 2 reports are reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy. Many entities outsource tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities.
SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements, of SSAEs. A SOC 2 report is similar to a SOC 1 report in that either a Type I or Type II report may be issued and the report provides a description of the service organization's system. .For a type 2 report, it also includes a description of the tests performed by the service auditor and the results of those tests
SOC 2 reports specifically address one or more of the following five key system attributes:
- Security - The system is protected against unauthorized access (both physical and logical);
- Availability - The system is available for operation and use as committed or agreed;
- Processing Integrity - System processing is complete, accurate, timely and authorized;
- Confidentiality - Information designated as confidential is protected as committed or agreed;
- Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity wit the commitments in the entity's privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
SOC 3 Report
SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements.
The key difference between an SOC 2 report and an SOC 3 report is that an SOC 2 report, which is generally a restricted use report, contains a detailed description of the service auditor's tests of controls and results of those tests as well as the service auditor's opinion on the description of the service organization's system.
An SOC 3 report is a general-use report that provides only the auditor's report on whether the system achieved the trust services criteria (so there is no description of tests and results or opinion on the description of the system). It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles (security, availability, processing integrity, confidentiality, and privacy).
SSAE 18 - Type I vs. Type II Engagement...
As the following outline address, there are two distinguishing factors between the Types of SSAE 18 engagements. These being:
- Type I reports provide an opinion on the designed effectiveness and relevance of an organization's internal controls on a specific date; and
- Type II reports contain the same information as Type I reports, but also test an organization's internal controls over a period of time (generally greater than six months).
Type I Engagements
SSAE 18 Type I is designed to provide an overview of Service Organizations description of internal controls and processes relevant to their customers. The SSAE Type I engagement is helpful for Service Organizations to gain an understanding of the control and processes that are designed at the Service Organization. A SSAE 18 Type I audit has an associated opinion and a description of services relevant to the services under review as of a point in time.
SSAE 18 Type 1 engagement is aimed at understanding and validating the service organizations systems / controls and also the implementation of the listed controls.
For this engagement, the Lakelet Advisory Group LLC and management of the service organization will need to:
- Prepare a detailed description of all the existing controls of the organization;
- Define the method of designing the controls;
- Document the methodology of the implementation of the controls; and
- Describe the timeliness of creation and implementation of the controls within the organization.
As we work together, we will prepare a written assertion that details the scope of the SSAE Type I engagement, the date on which the test needs to be conducted, and also the relevance and sanctity of the information provided in the description. We will then submit both the assertion and descriptions to the auditor for the engagement.
Effectively, the SSAE 18 Type 1 engagement establishes the existence of control systems in the service organization and their implementation on the specified date of the test. This report can be of interest to existing and potential clients because it confirms the credibility of the service organization.
Type II Engagements
SSAE 18 Type II also provides a description of internal controls and processes relevant to their customers. However, Lakelet Advisory Group LLC and our independent auditor test these controls over a period of time to verify that the internal controls and process is actually occurring as the service organization intended. The independent auditor will then provide an opinion about the actual operation of controls; as a result, third parties are more likely to accept a Type II report versus a Type I report.
SSAE 18 Type II engagements are more aligned to test the effectiveness of the system controls that have been implemented by the service organizations.
For this engagement, the Lakelet Advisory Group LLC and your management team will need to:
- Prepare the descriptions and assertions;
- Submit them to the independent auditor. The auditor will then perform all the activities that are done for the Type I engagements; and
- Conduct a thorough examination of all the controls, for their effectiveness and relevance.
The other difference in Type II engagements is that they are conducted for a period of time (e.g. six months or one year), as opposed to the "on date" examination of Type I engagements.
SSAE 18 Type II engagements are more relevant from an organizational and client view point because they establish the fact that a service organization has good systems in place and that these systems ensure continuous, error-free, and efficient work operations over a set period of time.
Lakelet Advisory Group offers an efficient and integrated solution for companies needing to comply with SSAE 18. Combining the audit expertise of CPAs with the efficiency focus of Lean Six Sigma Master Black Belts; we work with you to build your relevant SOC report, perform all necessary audits, and enhance the efficiency of your controls. Our team members hold the advanced SOC for Service Organizations Certificate.
The audit process is extremely complex and requires expertise in an array of unique areas beyond accounting / financial – these include, but are not limited to, industry knowledge, SSAE 18 experience, technology, and risks management. Lakelet was at the forefront of SSAE 18 and its predecessor SSAE 16, and has over 40 years of experience auditing high risk engagements. Designing and implementing effective controls requires a disciplined approach to risk mitigation and data analytics. Lakelet’s Master Black Belts have revolutionized continuous improvement systems over the past decade, working with private equity partners to leverage time-tested large corporation business practices to increase profitability of small and mid-sized businesses.
Our Master Black Belts partner with you to ensure performance objectives are met while maximizing efficiency of company resources as solutions are developed and implemented. According to industry experts:
- The return on investment for Six Sigma Black Belt projects is $2 for every $1 invested (American Society for Quality);
- Six Sigma Black Belt projects return savings ranging from $150,000 to $243,000 per project (Pyzdek);
- Six Sigma projects focus on reducing costs and inefficiencies while increasing revenue and return a minimum of three or four times the cost of implementation over 1.5 years (Brue & Howes); and
- Over $300M of direct margin improvement have been realized through projects worked on by Meliora consultants over the last 5 years (Meliora).
Working with your team, we ensure adherence SSAE-18 through:
- Documenting all required control descriptions and assertions for Type I reports;
- Conducting a thorough evaluation of all controls for Type II reports;
- Leveraging statistical process control best practices to design custom solutions to close and control gaps; and
- Driving process improvement actives to remove organization risks identified by your control systems.
Michael Bauer - Managing Partner at Meliora Consulting
Shari Kiesow - Partner at Meliora Consulting
Lauren Brugger - Partner at Meliora Consulting
Lauren holds the Advanced SOC for Service Organizations Certificate
To find our more on how our team can help you, contact us today.