Nowadays, many companies are bothered by the technical and security control applications used by third-party providers/suppliers. Corporates are demanding liberated audits of the IT and security control parameters of their third-party companies. In many situations, they are asking for some type of SSAE-16 audit or an SSAE-18 audit.
SSAE 16 audit is the Statements on Standards for Attestation Engagements no. 16. It offers a set of conditions and advice for documentation reporting on administrative controls and actions at service organizations. Audits using SSAE 16 usually outcome in (System and Organizational Control) SOC 1 reporting. Unlike prior standards, SSAE 16 audit needs written documentation from a service company’s governance, declaring that its explanation perfectly displays organizational controls, system goals, and operational activities that influence customers. SSAE 16 audit was succeeded by SSAE 18 audit in 2017.
SSAE 18 audit is the ongoing set of rules and guidance for reporting on a company's management and processes at service firms. It replaces SSAE 16 audit and is deliberated to update and clarify a prior set of standards. Like SSAE 16 audit, SSAE 18 audit is also used in SOC 1 reports, however, also in SOC 2 reports and SOC 3 reports, which were earlier directed under AT Section 101. Among other replacements, SSAE 18 audit also requires that service organizations recognize subservice firms and offer risk audits to SOC auditors.
SSAE 16 18 Audit and SOC have repeatedly been used conversely, and the audience discusses SSAE 18 reports and SOC 1 audits. But the two are different, and it’s necessary to realize the variance.
SSAE 18 — SSAE is the Statement on Standards for Attestation Engagements no. 18. As the name shows, it talks about standards and guidance for accomplishing attestation arrangements. These are the standards and methods CPAs go after when conveying out SSAE 18 audits.
SOC Report is the System and Organization Controls Report. It is the audit or report that CPAs generate after directing an attestation engagement under the SSAE 18 set of standards. Thus, SSAE 16 18 audits denote the standards, and SOC refers to the report.
In 2016, the Association of International Certified Professional Accountants upgraded the Statement on Standards for Attestation Engagements No. 16 SSAE 16 audit to No. 18 SSAE 18 audits. This transform was made to clarify and intersect attestation standards related to SOC 1 audits. SSAE 18 audit has also been enlarged to cover more kinds of SOC reports, whereas SSAE 16 was restricted to only SOC 1 reports.
The very initial thing all companies should perform in order to get ready for the movement in the SOC 1 audit standard is to do an official risk assessment. Accorp Partners is assisting organizations to complete this by providing our expertise and resources to ease the SOC audit for them. There are also many resources handling risk assessment and equipment to assist you to get started with reporting your own.
The next thing service organizations should perform in arrangements for the new SOC 1 audit is to start vendor compliance administration. When we talk about managing your vendors, organizations must question themselves what those challenges are that your dealers or suppliers present to your company and the services you depend on them to offer. Accorp Partners is here to assist you with all SOC compliances and SOC 1 audits, SOC 2 audits, SOC reporting, and many more that service organizations are preferring to maintain and monitor vendor compliance.
If you have any queries related to the updates to SOC 1 audit, contact our financial advisors.