the clarity project: ssae-18 essentials
TRANSCRIPT
www.nicsa.org
The Clarity Project:
What You Need to KnowAbout SSAE 18
NTAC:3NS-20
SPONSORED BY:
www.nicsa.org
Our Presenter
Vincent Concialdi
Partner
Grant Thornton LLP
Advisory Services
Midwest Special Attestation Reporting Solutions Leader
T 312.602.8731
NTAC:3NS-20 2
www.nicsa.org
Discussion Points
• Timeline of Technical Guidance and Overview of SOC 1
• AICPA Branding of SOC Reports
• The Clarity Project and SSAE 18
• Summary of Changes Resulting from SSAE 18
• Overview of SOC 1, SOC 2 and SOC 3 Reports
• Glossary
3NTAC:3NS-20
www.nicsa.org
Timeline of Technical
Guidance and
Overview of SOC 1
NTAC:3NS-20 4
www.nicsa.org 5NTAC:3NS-20
1992 20181993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
2010
SSAE No. 16
2017
SSAE No. 182009
ISAE No. 3402
1992
SAS No. 70
2006
TSP 2006
2009
TSP 2009
2018
TSP 2018
2014
TSP 2014
2016
TSP 2016
Guidance Date
SAS No. 70 1992
Trust Services Principles 2006
Trust Services Principles Updates 2009
ISAE No. 3402 2009
SSAE No. 16 2010
Trust Services Principles Updates 2014
Trust Services Principles Updates 2016
SSAE No. 18 2017
Trust Services Principles Updates 2018
Timeline of Technical Guidance
www.nicsa.org
Subservice Organization
Subservice Organization
Subservice Organization
Auditor to Auditor
Communication
ServiceOrganization
User Organization
User Organization
User Organization
UserAuditor
UserAuditor
UserAuditor
ServiceAuditor
Complementary Subservice Organization Controls (CSOC)
Complementary User Entity Controls
Control Environment
SOC 1 Overview
6NTAC:3NS-20
www.nicsa.org
Polling Question #1
How does your organization engage in the SOC
process?
a) Service Provider who undergoes a SOC examination
b) Recipient/reviewer of reports from Service Providers
c) Both a) and b)
d) Audit firm performing SOC examinations
e) Other
NTAC:3NS-20 7
www.nicsa.org
AICPA
Branding of SOC Reports
NTAC:3NS-20 8
www.nicsa.org
AICPA Branding: System and Organization
Control ("SOC") Reports
The AICPA Systems for Service Organization Controls is a suite of
services that CPAs may provide in connection with system level
controls at a service organization or entity-level controls of other
organizations.
SOC for Service Organizations
SOC reports are internal control reports on the services provided by a
service organization providing valuable information that users need to
assess and address the risks associated with an outsourced service.
• SOC 1® - SOC for Service Organizations: ICFR
• SOC 2® - SOC for Service Organizations: Trust Services Criteria
• SOC 3® - SOC for Service Organizations: Trust Services Criteria for
General Use Report
NTAC:3NS-20 9
www.nicsa.org
The Clarity Project
and SSAE 18
NTAC:3NS-20 10
www.nicsa.org
Background
Under the direction of the Auditing Standards Board (ASB)
members of the "Clarification Project" undertook the initiative to
revise and restructure the Statements on Standards for
Attestation Engagements (SSAEs).
The effort was intended to restructure the guidance to more
easily allow practitioners to adhere to relevant guidance for their
engagements by performing the following:
• Removing unnecessary redundancy across the standards
• Removing contradictory guidance existent within the
standards
• Aligning US standards with International standards
NTAC:3NS-20 11
www.nicsa.org
As a result of the Clarity Project, the ASB issued the new
Statement on Standards for Attestation Engagements (SSAE)
No. 18, Attestation Standards: Clarification and Recodification.
SSAE 18 became effective for reports with periods ending on or
after May 1, 2017.
SSAE 18 establishes requirements for performing and reporting
on examination, review, and agreed-upon procedures
engagements that enable practitioners to report on subject
matter ordinarily other than financial statements.
NTAC:3NS-20 12
Background
www.nicsa.org
Sections of SSAE 18
SSAE 18 is codified into sections. The identifier “AT-C” is used to
differentiate the sections of the clarified attestation standards
(“AT-C" sections) from the sections of the attestation standards
that are superseded by SSAE No. 18 (“AT” sections).
NTAC:3NS-20 13
www.nicsa.org
Chapters of SSAE 18
The result of the AICPA's Clarity Project was to centralize or
consolidate guidance applicable to attestation engagements into the
following chapters:
AT-C Sec. 105 – Concepts Common to All Attestation Engagements
AT-C Sec. 205 – Examination engagements
AT-C Sec. 210 – Review engagements
AT-C Sec. 215 – Agreed upon Procedures engagements
AT-C Sec. 305 – Prospective Financial Information
AT-C Sec. 310 – Reporting on Pro Forma Financial Information
AT-C Sec. 315 – Compliance Attestation
AT-C Sec. 320 – Reporting on an Examination of Controls at a
Service Organization Relevant to User Entities'
Internal Control over Financial Reporting
NTAC:3NS-20 14
www.nicsa.org
Polling Question #2
Before today’s program, how much did you know
about the changes?
a) Nothing, I wasn’t aware of the change
b) A little, but another team in my organization is leading
c) A lot, we are well underway with our changes
d) Everything, we have already adopted all required
changes
NTAC:3NS-20 15
www.nicsa.org
Summary of Changes
Resulting from SSAE 18
NTAC:3NS-20 16
www.nicsa.org
Summary of Changes
Complementary Subservice Organization Controls (CSOC)
• A CSOC is a control that management assumes will be
implemented by the subservice organization and is necessary
to achieve a control objective.
• The CSOC must be included in Section III: Description of the
System. They will be included in the table within the
Subservice Organization section.
Monitoring Subservice Organizations
• Previously, the service organization was responsible for
monitoring carve-out subservice organizations. This
monitoring now applies to subservice organizations using the
inclusive method.
NTAC:3NS-20 17
www.nicsa.org
Controls Testing
• Only key controls should be identified for testing. Non-key
controls should be removed if they are not necessary to
achieve the control objectives. All key controls should be
included in Section III.
Management's Assertion
• SSAE 18 establishes a minimum criteria for management's
assertions. The service organization should make minimal to
no changes to the assertion. This will allow user
organizations to more easily compare consistency across
SOC reports.
NTAC:3NS-20 18
Summary of Changes
www.nicsa.org
Definition of Internal Audit
• Service auditors relying on Internal Audit must revisit the
competence and objectivity of the group based on the revised
definition.
• Internal audit reports with the same scope as the SOC report
should be reviewed and evaluated by the service auditor.
Reliability of Information
• The service auditor must perform procedures to evaluate the
completeness, accuracy and sufficiency of the data provided
by the service organization.
NTAC:3NS-20 19
Summary of Changes
www.nicsa.org
Definition of Misstatement
• A difference between the measurement or evaluation of the
subject matter by the responsible party and the proper
measurement or evaluation of the subject matter based on the
criteria.
• Misstatements can be intentional or unintentional, qualitative
or quantitative, and include omissions. In certain
engagements, a misstatement may be referred to as a
deviation, exception, or instance of noncompliance.
• Issues related to fair presentation or design will be referred to
as misstatements.
• Issues related to operating effectiveness will be referred to as
exceptions.
NTAC:3NS-20 20
Summary of Changes
www.nicsa.org
Definition of Risk of Material Misstatement
• The risk that the subject matter is not in accordance with (or
based on) the criteria in all material respects or that the
assertion is not fairly stated, in all material respects.
• A comprehensive risk assessment should be performed and
documented by the service organization.
• The service auditor should design and perform further
procedures whose nature, timing, and extent are based on,
and responsive to, the assessed risks of material
misstatement.
NTAC:3NS-20 21
Summary of Changes
www.nicsa.org
The Service Auditor's Opinion
• The content has been reorganized and the format has
changed to include headers for each section.
• The template includes references to complementary
subservice organization controls (CSOC).
• The restricted use paragraph has been expanded to include
the auditors who audit and report on internal controls over
financial reporting (ICFR).
NTAC:3NS-20 22
Summary of Changes
www.nicsa.org
Polling Question #3
Which of the changes below will have the greatest
impact on your organization?
a) CSOC – Complementary Subservice Organization Controls
b) Key controls/removing non-key controls
c) Revisiting reliance on internal audit
d) Definition of Misstatement
e) All of them!
NTAC:3NS-20 23
www.nicsa.org
Overview of
SOC 1, SOC 2 and SOC 3
Reports
NTAC:3NS-20 24
www.nicsa.org
Overview of SOC 1, SOC 2 and SOC 3
Short
Report
Name
Full
Report
Name
Standard and Section
for
Engagement
Subject Matter
of the
Engagement
Service
Auditor's
Report
Intended
Users
SOC 1
Report
SOC 1 ® - SOC for
Service Organizations:
ICFR
Statement of Standards for
Attestation Engagements No. 18
• AT-C Section 105, Concepts Common to
All Attestation Engagements
• AT-C Section 205, Examination
Engagements
• AT-C Section 320, Reporting on an
Examination of Controls at a Service
Organization Relevant to User Entities'
Internal Control over Financial Reporting
Controls at a service organization
relevant to user entities internal
control over financial reporting.
Contains opinions on
• the fairness of the presentation
of the description of the
system
• the suitability of the design of
the controls
• the operating effectiveness of
the controls (for Type 2 report)
Restricted Use Report: The report is intended solely
for the information and use of management of the
company, user entities of the company's System,
and their auditors who audit and report on such user
entities’ financial statements or internal control over
financial reporting and have a sufficient
understanding to consider it, along with other
information, including information about controls
implemented by user entities themselves, when
assessing the risks of material misstatement of
user entities’ financial statements.
SOC 2
Report
SOC 2 ® - SOC for
Service Organizations:
Trust Services Criteria
Statement of Standards for
Attestation Engagements No. 18
• AT-C Section 105, Concepts Common to
All Attestation Engagements
• AT-C Section 205, Examination
Engagements
Controls at a service organization
relevant to
• security
• availability
• processing integrity
• confidentiality, or
• privacy.
Contains opinions on
• the fairness of the presentation
of the description of the system
• the suitability of the design of
the controls
• the operating effectiveness of
the controls (for Type 2 report)
Restricted Use Report: The report is intended solely
for the information and use of the Company; user
entities of the Company’s System during some or all
of the Specified Period; those prospective user
entities, independent auditors, and practitioners
providing services to such user entities, and
regulators who have sufficient knowledge and
understanding.
SOC 3
Report
SOC 3 ® - SOC for
Service Organizations:
Trust Services Criteria
for General User
Report
Statement of Standards for
Attestation Engagements No. 18
• AT-C Section 105, Concepts Common
to All Attestation Engagements
• AT-C Section 205, Examination
Engagements
Controls at a service organization
relevant to
• security
• availability
• processing integrity
• confidentiality, or
• privacy.
Report on whether the entity
maintained effective controls over its
system as it relates to the principle
being reported on in the subject
matter of the engagement, based on
the applicable trust services criteria.
General Use Report: The report can be freely
distributed or posted on a website as a seal.
NTAC:3NS-20 25
www.nicsa.org
Glossary
NTAC:3NS-20 26
www.nicsa.org
Glossary
Assertion. Any declaration or set of declarations about whether the subject matter is in accordance with (or based on) the criteria.Attestation engagement. An examination, review, or agreed-upon procedures engagement performed under the attestation standards related to subject matter or an assertion that is the responsibility of another party. The following are the three types of attestation engagements:
Examination engagement. An attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the practitioner's opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. (Ref: par .. A7)Review engagement. An attestation engagement in which the practitioner obtains limited assurance by obtaining sufficient appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. (Ref: par .. A8)Agreed-upon procedures engagement. An attestation engagement in which a practitioner performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The parties to the engagement (specified party), as defined later in this paragraph, agree upon and are responsible for the sufficiency of the procedures for their purposes.
Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate. Complementary sub service organization controls. Controls that management of the service organization assumes, in the design of the service organization's system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management's description of the service organization's system.Complementary user entity controls. Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system. (Ref: par. .A6)
27NTAC:3NS-20
www.nicsa.org
Engaging party. The party(ies) that engages the practitioner to perform the attestation engagement. (Ref: par .. Al 7)Evidence. Information used by the practitioner in arriving at the opinion, conclusion, or findings on which the practitioner's report is based.General use. Use of a practitioner's report that is not restricted to specified parties. Internal audit function. A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity's governance, risk management, and internal control processes.Misstatement. A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. In certain engagements, a misstatement may be referred to as a deviation, exception, or instance of noncompliance.Professional judgment. The application of relevant training, knowledge, and experience, within the context provided by attestation and ethical standards in making informed decisions about the courses of action that are appropriate in the circumstances of the attestation engagement.Professional skepticism. An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of evidence.Reasonable assurance. A high, but not absolute, level of assurance.Responsible party. The party(ies) responsible for the subject matter. If the nature of the subject matter is such that no such party exists, a party who has a reasonable basis for making a written assertion about the subject matter may be deemed to be the responsible party.Service auditor. A practitioner who reports on controls at a service organization.Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities' internal control over financial reporting.
28NTAC:3NS-20
Glossary
www.nicsa.org
Service organization's assertion. A written assertion about the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of management's description of a service organization's system and a service auditor's report on that description and on the suitability of the design of controls.Specified party. The intended user(s) to whom use of the written practitioner's report is limited.Subject matter. The phenomenon that is measured or evaluated by applying criteria.Subservice organization. A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities' internal control over financial reporting. The following are the two treatments for subservice organizations:
Carve-out method. Method of addressing the services provided by a subservice organization, whereby management's description of the service organization's system identifies the nature of the services performed by the subservice organization and excludes from the description and from the scope of the service auditor's engagement the subservice organization’s relevant control objectives and related controls.Inclusive method. Method of addressing the services provided by a subservice organization whereby management's description of the service organization's system includes a description of the nature of the services provided by the subservice organization as well as the subservice organization's relevant control objectives and related controls.
User auditor. An auditor who audits and reports on the financial statements of a user entity.User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity's internal control over financial reporting.
29NTAC:3NS-20
Glossary
www.nicsa.org
WEBINAR SPONSORED BY:
#WebinarWednesdays
Thank you!