WITH THE ISSUANCE of Statement on Standards for Attestation Engagements No. 18 – Attestation Standards: Clarification and Recodification (SSAE No. 18) on April 5, 2016, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) clarifies attestation guidance for engagements pertaining to agreed-upon procedures, examinations and reviews.

SSAE No. 18 is part of an overall effort by the ASB to update and clarify professional standards, with clarified provisions standards carrying an AT-C designation. The statement also advances efforts to converge U.S. auditing standards with those set by the International Auditing and Assurance Standards Board (IAASB). SSAE No. 18 supersedes all existing attestation guidance except for:

• SSAE No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated with an Audit of Its Financial Statements

• SSAE No. 10, Attestation Standards: Revision and Recodification; Chapter 7, Management’s Discussion and Analysis

This change directly affects System and Organization Controls (SOC) report requirements for practitioners and service organizations issuing practitioner’s reports on or after May 1, 2017. As a result, all SOC examinations (SOC 1, 2 and 3) will be issued under SSAE 18 going forward.

SSAE No. 18 Components

NO. 18 INCORPORATES common concepts, levels of service and subject matter. Practitioners and service organizations need to be aware of each of these items.

Common Concepts

SSAE NO. 18, AT-C SECTION 105 REQUIRES any attestation engagement or review to be based on the following concepts, which are similar to requirements for financial statement audits or reviews:

• A party other than the practitioner is responsible for the subject matter and must acknowledge that responsibility.

• Subject matter must be appropriate.• Criteria used to prepare and evaluate subject matter must be suitable and

available.• Practitioner must be able to obtain evidence needed to issue an opinion,

conclusion or findings. That includes having access to relevant individuals and information.

• A written practitioner’s report must be issued containing an opinion, conclusion or findings.

IT Insights

SSAE No. 18 updates SOC report guidanceSSAE No. 18

IT Insights: SSAE No. 18

2

Levels of Service

AT-C SECTIONS 205, 210 AND 215 restructure level of service standards previously contained in AT sections 101 and 201. New service level requirements include:

Written assertion and representation letter requirements: SSAE No. 18 requires a written assertion from the responsible party (typically company management) for any attestation engagement, including an agreed-upon procedures engagement. Attestation and agreed-upon procedures engagements require representation letters, too. SSAE No. 18 also requires practitioners to withdraw from a review engagement if representation letters are not received.

In-depth risk assessment: A practitioner must attain greater understanding of how subject matter was developed. Evaluation of the design of controls requires procedures now as well as inquiry.

Scope limitation considerations: A practitioner is allowed to assess the impact of scope limitations and to issue a qualified opinion. SSAE No. 18 also specifies situations when a practitioner should withdraw from a review engagement due to scope limitations.

Report items: A report based on SSAE No. 18 needs to include:

• Information regarding the nature of the engagement• A comparison of the assurance level to standards requirements• The point in time or period of time for the subject matter

or assertion

Additional documentation: In addition to items required for the report, a practitioner must document:

• Changes in materiality and risk assessments if facts change as the engagement progresses

• Use of work from internal auditors or other practitioners in an examination or review-level engagement

• Inquiries of appropriate parties regarding potential fraud or noncompliance in an examination or review engagement

‘‘ ‘‘Practitioners need to be aware of the multiple changes SSAE No. 18 requires for attestation engagements. Among other items, practitioners must commit greater attention to risk assessment concerns.

www.weaver.com | 800.332.7952

CONTACT USBrian Thomas, CISA, CISSP, QSA Partner, IT Advisory Servicesbrian.thomas@weaver.com

Neha Patel, CPA, CISA Partner, IT Advisory Servicesneha.patel@weaver.com Weaver’s IT advisory services group focuses on delivering performance-enhancing consultations that address your IT and business agendas. We work directly with CIOs and others to create a more risk-aware, effective IT organization that can drive process efficiencies throughout your company and better support and deliver transformational business change. Specific services we provide include:

• Application controls review• Business continuity/disaster recovery• Cloud computing assessment• Data analytics• Data privacy• Information security and vulnerability

assessment• ISO27001 reviews• IT audit• IT governance and organizational

effectiveness• IT risk assessment• Pre- and post-implementation

application reviews• System and Organization Controls

(SOC) reporting

Disclaimer: This content is general in nature and is not intended to serve as accounting, legal or other professional services advice. Weaver assumes no responsibility for the reader’s reliance on this information. Before implementing any of the ideas contained in this publication, readers should consult with a professional advisor to determine whether the ideas apply to their unique circumstances.

© Copyright 2016, Weaver and Tidwell, L.L.P.

3

IT Insights: SSAE No. 18

Subject Matter

SSAE NO. 18 INCLUDES guidance specific controls at a service organization relevant to a user entity’s internal controls over financial reporting. Guidance for service organizations and other reporting subject matters can be found in AT-C sections 305, 310, 315 and 320.

Applicability for Various SOC Reports

SSAE NO. 16 and attestation standard AT 801 historically provided guidance for SOC 1 reports addressing a service organization’s controls as they related to internal controls over financial reporting. SSAE No. 18 AT-C sections AT-C 105, 205 and 320 now provide guidance for SOC 1 reports.

Guidance for SOC 2 and SOC 3 reports previously came from Section 100 of the Trust Services Principles and Criteria (TSP) and attestation standard AT 101. Guidance is now derived from SSAE No. 18 AT-C sections 105 and 205, as well as Section 100 of the TSP.

New Audit and Accounting guides for SOC 1 and SOC 2 reporting are anticipated to be published later in 2016 or early 2017.

Items for Practitioners and Service Organizations to Address

A SOC REPORT ISSUED on or after May 1, 2017, would be based on findings gleaned from a reporting period prior to SSAE No. 18’s effective date. To extend such a SOC report’s relevance, practitioners and service organizations should consider the value of early SSAE No. 18 adoption.

Practitioners need to be aware of the multiple changes SSAE No. 18 requires for attestation engagements. Among other items, practitioners must commit greater attention to risk assessment concerns. In addition, auditors now must evaluate the completeness and accuracy of the information provided by the entity (IPE), similar to the PCAOB’s standards for Sarbanes-Oxley compliance.

Service organizations need to be aware of the enhanced requirements being placed on auditors as a result of SSAE 18. Service auditors who simply execute template test procedures without careful evaluation of a true risk assessment process performed by the service organization and an assessment of the completeness and accuracy of information provided by the entity (IPE) will be hard pressed to meet the requirements of SSAE 18. This may require additional work for some service auditors who have not explicitly performed these procedures in the past. Service organizations receiving SOC reports from service auditors who have not met standards may find their reports being challenged or rejected by the user entities relying on the information (i.e., their customers).