I went to a recent meeting of the North Texas chapter of ISACA, and there was a presentation on SSAE 18. For those of you who don’t know, SSAE 18 supersedes SSAE 16, and consolidates Service Organization Controls reporting into something more manageable. Here, I’ll talk about what I’ve learned about SSAE 18, SOC 1, and SOC 2.
In SSAE 18, more emphasis has been put on testing the design of controls for subservice organizations (e.g. third parties for which the organization has contracted out some process) and whether they are doing what they are suppose to be doing. The auditor, through Service Organization Control (SOC), has to report on the effective use of these controls. In the case of a SOC 1 report, they would assist in testing the controls as they pertain to the financial statements. With SOC 2, the auditor reports on the controls with regards to security, availability, integrity, and confidentiality.
Now the auditor has to look for things such as complementary user entity controls, which are the controls that are assumed to be in place for users. The auditor will have to look at reports from the subservice company to the main organzation. They will have to see whether the organization is actually verifying the information in the report. For instance, the auditor will have to see system-generated reports are being validated by the users of these reports. The processing integrity principle will be used heavily in this situation.
This audit will look at how management has chosen the suitable criteria for the control, and how well they’ve measured the subject matter (note that “subject matter” means the risk relevant to entities using the subservice company). So an auditor will look at whether the risk is something related to the entity’s business with the subservice company, then check the metrics of the current control, and see whether they are actually related to the control.
