Recently there has been exponential growth in organizations outsourcing many of their services to outside service providers (“service organizations”). This growth has brought many challenges around security and compliance requirements especially when they use these service providers perform critical functions, making them an integral part of the main organization’s control structure. To address this, Service Organization Control (SOC) reports have become an increasingly popular method for service providers/service organizations to demonstrate their commitment to compliance.  SOC reports not only included a description of the organization’s control structure, but also provided an attestation from an independent accounting firm as to whether the controls are properly defined, implemented, and operating effectively.  These reports are a critical (and widely accepted) part of the sales/onboarding cycle for many providers, and providing an independent report is increasingly becoming a requirement before an organization will engage with a service provider.

The AICPA Auditing Standards Board introduced SSAE 16 standard (effective on June 2011) to provide guidance on auditing methods for SOC 1 reports (related to financial reporting controls), along with interpretation under AT Section 101 for SOC 2 reports, which are not focused on internal financial reporting controls. In April 2016, the AICPA Auditing Standards Board issued the Statement on Standards for Attestation Engagements (SSAE) No. 18. The new standard is applicable to all SOC attestation engagements and replaces SSAE 16. SSAE 18 is effective for SOC reports dated on or after May 1, 2017 although early adoption of the standard was also permitted.

As service organizations are getting acquainted with the revised standards, it is worth noting the impacts of these changes. These changes affect service organizations by setting a clear direction for the management description of controls to ensure a fair presentation of the controls as well as the ways Auditors are required to approach data collection and verification of controls. This will drive consistency and ease of comparison between the SOC reports for organizations evaluating the service organization control environment.

The revisions can be categorized in three broad areas - Third Party Vendor Management, Data Validation, and Risk Assessment, described below:

1. Management of third party vendors / Subservice organizations.

A subservice organization is essentially an entity to which the main service organization has outsourced at least some of its operations. It is the responsibility of the service organization undergoing the SOC audit to ensure the controls in place at any relevant subservice organizations are closely tied to the operations of the main service organization undergoing the attestation (a subservice organization is defined as an entity that performs a critical function supporting the service organization’s internal controls, and is not intended to be applied to every vendor).

The performance of subservice organization will ultimately reflect upon the quality and reputation of the service organization and the switch from SSAE 16 to SSAE 18 will not only impact companies who currently perform the SSAE 16 audit, but also have an even greater impact on those companies that are considered  a subservice organization to other businesses and currently do not perform a SSAE 16/18 audit.

Service organizations use to use the “carve-out method,” by presenting the controls at subservice organizations as their own, but the new rules now requires the “inclusive method” as well. The inclusive method requires service organizations to include subservice organization in their scope, along with a listing of the services and controls in place at the subservice organization that satisfy the criterion for the audit.

Therefore, one of the most significant changes in the new requirements for a service organization will be to ensure that it has a robust vendor management program for subservice providers.  This is potentially a big deal, as SSAE 18 will require service organizations to implement processes to verify and that monitor controls that are in place at the subservice organizations, and that these controls are sufficient to achieve the objectives stated in its management description. The standard provides the following control suggestion for assessing the effectiveness of these complementary subservice organization controls:

  • Review and reconcile output reports.
  • Periodic discussions with the subservice organization
  • Regular site visits to the subservice organization.
  • Testing controls at the subservice organization by members of the service organization’s internal audit function
  • Regular review of SOC  Type I or Type II reports on the subservice organization’s system.
  • Monitor external communications, such as customer complaints relevant to the services by the subservice organization.

Many times, service organizations follow vetting procedures when they are initially partnering with third-party vendors, but now it is just as important to evaluate and monitor the third party vendors on an ongoing basis using the methods outlined in SSAE 18.

2. Data Validation Requirement

Under SSAE 18, Service auditors are required to evaluate the information produced by the service organization to ensure it is complete, accurate, and sufficiently precise and detailed. The new rules will require Auditors to verify and evaluate all the information provided through their own independent judgement and not simply rely on the face value of information provided.  Auditors are also required to ensure that the information presented and provided is reliable for service auditor’s purpose and scope of the engagement.  This will ultimately make the audit process more flexible, useful and relevant to each service organization; this latitude also highlights the need to engage with an experienced and knowledgeable consultants and audit firms. 

3. Risk Assessment

For companies with a current SSAE 16, they will need to perform a more detailed and in-depth risk assessment if they have not already done so. Although risk assessments have been a common requirement in SOC 2, they were not previously required for SOC 1 audits.

Risk assessments now need to be performed with more specific requirements to avoid ROMM (Risk of Material Misstatement) as opposed to the existing general considerations of risk.  Risk of Material Misstatement is defined as “the risk that the subject matter is not in accordance with (or based on) the criteria in all material respects or that the assertion is not fairly stated in all material respects”. SSAE 18 brings an increased focus on performing a risk assessment at least annually.

What this means is that service auditors performing SOC attestations are now required to obtain a more in-depth understanding of the subject matter than previously required SSAE 18 requires the auditor to identify the potential risks of material misstatement in an examination engagement with regards to the controls in place to respond to the assessed risks, and account for remediation plans to mitigate any identified high-risk issues. With the help of an efficiently performed Risk Assessment, the SSAE 18 tries to improve the linkage between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

Finally, SOC reports have always contained a statement (written assertion) of Management Description of controls. Although these statements have always been part of the SOC reporting document, a requirement that the service organization signs the document was optional. Organizations may now see the impact on their management description and consider if any revisions are required to satisfy the changes that came with the new standards. Most organization have always opted for signing this document as a way to show commitment, due diligence, and add further credibility to the report, so in many cases there will not be significant impact to service auditors or service organization to meet this requirement.

Conclusion:  Next Steps for meeting SSAE 18 requirements

Navigating the requirements to prepare and meet all requirements of a SOC attestation can be a daunting task for many organizations, and the changes introduced by SSAE 18 will no doubt add complexities and questions to the process; AppSec Consulting offers a variety of consulting and audit readiness services for clients who are pursuing a formal SOC report and attestation, including:

  • Scoping
  • Risk assessment
  • Development of a risk and controls matrices
  • Identification of subservice organizations and their impact
  • Gap assessment
  • Policy and documentation creation
  • Mapping key policies and procedures to risk controls
  • Remediation and risk treatment assistance
  • Project management
  • Other audit readiness activities including the development of required testing procedures    

AppSec Consulting provides assistance every step of the way to ensure clients are fully prepared for formal audit activities, and our expert consultants have a great deal of experience helping our clients prepare for and meet all facets of the SSAE process.

Contact us today (https://www.appsecconsulting.com) to find out how we can help.

Ruchira Hasolkar

Ruchira is an Information Security Consultant and Certified Information Systems Auditor (CISA) with more than 8 years of security, compliance, and financial auditing industry experience. Ruchira has served in key information security and internal audit roles at enterprises within the finance, technology, human resources and service provider markets. Her experience and expertise include performing Enterprise IT Risk Assessments, PCI DSS Assessments, Design and Program Development of Service Organization Controls (SOC 1 & 2), Information Security Management System (ISMS), General IT Controls, and Vulnerability Management.


Ruchira has a strong track record of helping clients interpret and apply a variety of information security‐related frameworks and standards to meet the specific needs of their organization. Having a strong background as an IT/General Controls Auditor prior to entering the consulting profession allows Ruchira to provide client‐centric solutions and understand complex issues from both a business and security perspective.

read more articles by Ruchira Hasolkar

© Copyright 2017 AppSec Consulting, All Rights Reserved