www.nicsa.org

The Clarity Project:

What You Need to KnowAbout SSAE 18

NTAC:3NS-20

SPONSORED BY:

www.nicsa.org

Our Presenter

Vincent Concialdi

Partner

Grant Thornton LLP

Advisory Services

Midwest Special Attestation Reporting Solutions Leader

T 312.602.8731

E Vincent.Concialdi@us.gt.com

NTAC:3NS-20 2

www.nicsa.org

Discussion Points

• Timeline of Technical Guidance and Overview of SOC 1

• AICPA Branding of SOC Reports

• The Clarity Project and SSAE 18

• Summary of Changes Resulting from SSAE 18

• Overview of SOC 1, SOC 2 and SOC 3 Reports

• Glossary

3NTAC:3NS-20

www.nicsa.org

Timeline of Technical

Guidance and

Overview of SOC 1

NTAC:3NS-20 4

www.nicsa.org 5NTAC:3NS-20

1992 20181993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

2010

SSAE No. 16

2017

SSAE No. 182009

ISAE No. 3402

1992

SAS No. 70

2006

TSP 2006

2009

TSP 2009

2018

TSP 2018

2014

TSP 2014

2016

TSP 2016

Guidance Date

SAS No. 70 1992

Trust Services Principles 2006

Trust Services Principles Updates 2009

ISAE No. 3402 2009

SSAE No. 16 2010

Trust Services Principles Updates 2014

Trust Services Principles Updates 2016

SSAE No. 18 2017

Trust Services Principles Updates 2018

Timeline of Technical Guidance

www.nicsa.org

Subservice Organization

Subservice Organization

Subservice Organization

Auditor to Auditor

Communication

ServiceOrganization

User Organization

User Organization

User Organization

UserAuditor

UserAuditor

UserAuditor

ServiceAuditor

Complementary Subservice Organization Controls (CSOC)

Complementary User Entity Controls

Control Environment

SOC 1 Overview

6NTAC:3NS-20

www.nicsa.org

Polling Question #1

How does your organization engage in the SOC

process?

a) Service Provider who undergoes a SOC examination

b) Recipient/reviewer of reports from Service Providers

c) Both a) and b)

d) Audit firm performing SOC examinations

e) Other

NTAC:3NS-20 7

www.nicsa.org

AICPA

Branding of SOC Reports

NTAC:3NS-20 8

www.nicsa.org

AICPA Branding: System and Organization

Control ("SOC") Reports

The AICPA Systems for Service Organization Controls is a suite of

services that CPAs may provide in connection with system level

controls at a service organization or entity-level controls of other

organizations.

SOC for Service Organizations

SOC reports are internal control reports on the services provided by a

service organization providing valuable information that users need to

assess and address the risks associated with an outsourced service.

• SOC 1® - SOC for Service Organizations: ICFR

• SOC 2® - SOC for Service Organizations: Trust Services Criteria

• SOC 3® - SOC for Service Organizations: Trust Services Criteria for

General Use Report

NTAC:3NS-20 9

www.nicsa.org

The Clarity Project

and SSAE 18

NTAC:3NS-20 10

www.nicsa.org

Background

Under the direction of the Auditing Standards Board (ASB)

members of the "Clarification Project" undertook the initiative to

revise and restructure the Statements on Standards for

Attestation Engagements (SSAEs).

The effort was intended to restructure the guidance to more

easily allow practitioners to adhere to relevant guidance for their

engagements by performing the following:

• Removing unnecessary redundancy across the standards

• Removing contradictory guidance existent within the

standards

• Aligning US standards with International standards

NTAC:3NS-20 11

www.nicsa.org

As a result of the Clarity Project, the ASB issued the new

Statement on Standards for Attestation Engagements (SSAE)

No. 18, Attestation Standards: Clarification and Recodification.

SSAE 18 became effective for reports with periods ending on or

after May 1, 2017.

SSAE 18 establishes requirements for performing and reporting

on examination, review, and agreed-upon procedures

engagements that enable practitioners to report on subject

matter ordinarily other than financial statements.

NTAC:3NS-20 12

Background

www.nicsa.org

Sections of SSAE 18

SSAE 18 is codified into sections. The identifier “AT-C” is used to

differentiate the sections of the clarified attestation standards

(“AT-C" sections) from the sections of the attestation standards

that are superseded by SSAE No. 18 (“AT” sections).

NTAC:3NS-20 13

www.nicsa.org

Chapters of SSAE 18

The result of the AICPA's Clarity Project was to centralize or

consolidate guidance applicable to attestation engagements into the

following chapters:

AT-C Sec. 105 – Concepts Common to All Attestation Engagements

AT-C Sec. 205 – Examination engagements

AT-C Sec. 210 – Review engagements

AT-C Sec. 215 – Agreed upon Procedures engagements

AT-C Sec. 305 – Prospective Financial Information

AT-C Sec. 310 – Reporting on Pro Forma Financial Information

AT-C Sec. 315 – Compliance Attestation

AT-C Sec. 320 – Reporting on an Examination of Controls at a

Service Organization Relevant to User Entities'

Internal Control over Financial Reporting

NTAC:3NS-20 14

www.nicsa.org

Polling Question #2

Before today’s program, how much did you know

about the changes?

a) Nothing, I wasn’t aware of the change

b) A little, but another team in my organization is leading

c) A lot, we are well underway with our changes

d) Everything, we have already adopted all required

changes

NTAC:3NS-20 15

www.nicsa.org

Summary of Changes

Resulting from SSAE 18

NTAC:3NS-20 16

www.nicsa.org

Summary of Changes

Complementary Subservice Organization Controls (CSOC)

• A CSOC is a control that management assumes will be

implemented by the subservice organization and is necessary

to achieve a control objective.

• The CSOC must be included in Section III: Description of the

System. They will be included in the table within the

Subservice Organization section.

Monitoring Subservice Organizations

• Previously, the service organization was responsible for

monitoring carve-out subservice organizations. This

monitoring now applies to subservice organizations using the

inclusive method.

NTAC:3NS-20 17

www.nicsa.org

Controls Testing

• Only key controls should be identified for testing. Non-key

controls should be removed if they are not necessary to

achieve the control objectives. All key controls should be

included in Section III.

Management's Assertion

• SSAE 18 establishes a minimum criteria for management's

assertions. The service organization should make minimal to

no changes to the assertion. This will allow user

organizations to more easily compare consistency across

SOC reports.

NTAC:3NS-20 18

Summary of Changes

www.nicsa.org

Definition of Internal Audit

• Service auditors relying on Internal Audit must revisit the

competence and objectivity of the group based on the revised

definition.

• Internal audit reports with the same scope as the SOC report

should be reviewed and evaluated by the service auditor.

Reliability of Information

• The service auditor must perform procedures to evaluate the

completeness, accuracy and sufficiency of the data provided

by the service organization.

NTAC:3NS-20 19

Summary of Changes

www.nicsa.org

Definition of Misstatement

• A difference between the measurement or evaluation of the

subject matter by the responsible party and the proper

measurement or evaluation of the subject matter based on the

criteria.

• Misstatements can be intentional or unintentional, qualitative

or quantitative, and include omissions. In certain

engagements, a misstatement may be referred to as a

deviation, exception, or instance of noncompliance.

• Issues related to fair presentation or design will be referred to

as misstatements.

• Issues related to operating effectiveness will be referred to as

exceptions.

NTAC:3NS-20 20

Summary of Changes

www.nicsa.org

Definition of Risk of Material Misstatement

• The risk that the subject matter is not in accordance with (or

based on) the criteria in all material respects or that the

assertion is not fairly stated, in all material respects.

• A comprehensive risk assessment should be performed and

documented by the service organization.

• The service auditor should design and perform further

procedures whose nature, timing, and extent are based on,

and responsive to, the assessed risks of material

misstatement.

NTAC:3NS-20 21

Summary of Changes

www.nicsa.org

The Service Auditor's Opinion

• The content has been reorganized and the format has

changed to include headers for each section.

• The template includes references to complementary

subservice organization controls (CSOC).

• The restricted use paragraph has been expanded to include

the auditors who audit and report on internal controls over

financial reporting (ICFR).

NTAC:3NS-20 22

Summary of Changes

www.nicsa.org

Polling Question #3

Which of the changes below will have the greatest

impact on your organization?

a) CSOC – Complementary Subservice Organization Controls

b) Key controls/removing non-key controls

c) Revisiting reliance on internal audit

d) Definition of Misstatement

e) All of them!

NTAC:3NS-20 23

www.nicsa.org

Overview of

SOC 1, SOC 2 and SOC 3

Reports

NTAC:3NS-20 24

www.nicsa.org

Overview of SOC 1, SOC 2 and SOC 3

Short

Report

Name

Full

Report

Name

Standard and Section

for

Engagement

Subject Matter

of the

Engagement

Service

Auditor's

Report

Intended

Users

SOC 1

Report

SOC 1 ® - SOC for

Service Organizations:

ICFR

Statement of Standards for

Attestation Engagements No. 18

• AT-C Section 105, Concepts Common to

All Attestation Engagements

• AT-C Section 205, Examination

Engagements

• AT-C Section 320, Reporting on an

Examination of Controls at a Service

Organization Relevant to User Entities'

Internal Control over Financial Reporting

Controls at a service organization

relevant to user entities internal

control over financial reporting.

Contains opinions on

• the fairness of the presentation

of the description of the

system

• the suitability of the design of

the controls

• the operating effectiveness of

the controls (for Type 2 report)

Restricted Use Report: The report is intended solely

for the information and use of management of the

company, user entities of the company's System,

and their auditors who audit and report on such user

entities’ financial statements or internal control over

financial reporting and have a sufficient

understanding to consider it, along with other

information, including information about controls

implemented by user entities themselves, when

assessing the risks of material misstatement of

user entities’ financial statements.

SOC 2

Report

SOC 2 ® - SOC for

Service Organizations:

Trust Services Criteria

Statement of Standards for

Attestation Engagements No. 18

• AT-C Section 105, Concepts Common to

All Attestation Engagements

• AT-C Section 205, Examination

Engagements

Controls at a service organization

relevant to

• security

• availability

• processing integrity

• confidentiality, or

• privacy.

Contains opinions on

• the fairness of the presentation

of the description of the system

• the suitability of the design of

the controls

• the operating effectiveness of

the controls (for Type 2 report)

Restricted Use Report: The report is intended solely

for the information and use of the Company; user

entities of the Company’s System during some or all

of the Specified Period; those prospective user

entities, independent auditors, and practitioners

providing services to such user entities, and

regulators who have sufficient knowledge and

understanding.

SOC 3

Report

SOC 3 ® - SOC for

Service Organizations:

Trust Services Criteria

for General User

Report

Statement of Standards for

Attestation Engagements No. 18

• AT-C Section 105, Concepts Common

to All Attestation Engagements

• AT-C Section 205, Examination

Engagements

Controls at a service organization

relevant to

• security

• availability

• processing integrity

• confidentiality, or

• privacy.

Report on whether the entity

maintained effective controls over its

system as it relates to the principle

being reported on in the subject

matter of the engagement, based on

the applicable trust services criteria.

General Use Report: The report can be freely

distributed or posted on a website as a seal.

NTAC:3NS-20 25

www.nicsa.org

Glossary

NTAC:3NS-20 26

www.nicsa.org

Glossary

Assertion. Any declaration or set of declarations about whether the subject matter is in accordance with (or based on) the criteria.Attestation engagement. An examination, review, or agreed-upon procedures engagement performed under the attestation standards related to subject matter or an assertion that is the responsibility of another party. The following are the three types of attestation engagements:

Examination engagement. An attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the practitioner's opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. (Ref: par .. A7)Review engagement. An attestation engagement in which the practitioner obtains limited assurance by obtaining sufficient appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. (Ref: par .. A8)Agreed-upon procedures engagement. An attestation engagement in which a practitioner performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The parties to the engagement (specified party), as defined later in this paragraph, agree upon and are responsible for the sufficiency of the procedures for their purposes.

Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate. Complementary sub service organization controls. Controls that management of the service organization assumes, in the design of the service organization's system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management's description of the service organization's system.Complementary user entity controls. Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system. (Ref: par. .A6)

27NTAC:3NS-20

www.nicsa.org

Engaging party. The party(ies) that engages the practitioner to perform the attestation engagement. (Ref: par .. Al 7)Evidence. Information used by the practitioner in arriving at the opinion, conclusion, or findings on which the practitioner's report is based.General use. Use of a practitioner's report that is not restricted to specified parties. Internal audit function. A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity's governance, risk management, and internal control processes.Misstatement. A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance.Professional judgment. The application of relevant training, knowledge, and experience, within the context provided by attestation and ethical standards in making informed decisions about the courses of action that are appropriate in the circumstances of the attestation engagement.Professional skepticism. An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of evidence.Reasonable assurance. A high, but not absolute, level of assurance.Responsible party. The party(ies) responsible for the subject matter. If the nature of the subject matter is such that no such party exists, a party who has a reasonable basis for making a written assertion about the subject matter may be deemed to be the responsible party.Service auditor. A practitioner who reports on controls at a service organization.Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities' internal control over financial reporting.

28NTAC:3NS-20

Glossary

www.nicsa.org

Service organization's assertion. A written assertion about the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design of controls.Specified party. The intended user(s) to whom use of the written practitioner's report is limited.Subject matter. The phenomenon that is measured or evaluated by applying criteria.Subservice organization. A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting. The following are the two treatments for subservice organizations:

Carve-out method. Method of addressing the services provided by a subservice organization, whereby management's description of the service organization's system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor's engagement the subservice organization’s relevant control objectives and related controls.Inclusive method. Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization's relevant control objectives and related controls.

User auditor. An auditor who audits and reports on the financial statements of a user entity.User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity's internal control over financial reporting.

29NTAC:3NS-20

Glossary

www.nicsa.org

WEBINAR SPONSORED BY:

#WebinarWednesdays

Thank you!