The new SSAE 18 standard will require additional oversight, monitoring and reporting for all involved or requiring SOC attestations. This will include the User Entity, service organizations, and sub-service organizations.
In today’s business environment, most organizations are concerned with information technology and cybersecurity control practices used by third party service providers. Organizations are requesting independent assessments of the cybersecurity and information technology control measures of their third party providers. They are making these requests through questionnaires, interviews, audit requests, and in many cases, they are requesting a type of SSAE-16 or SSAE-18 assessment.

The Auditing Standards Board (ASB) has revised the existing attestation standard SSAE16 and replaced it with the SSAE18 standard. This update has addressed some much needed oversight related to service organizations and sub-service organizations and affects all SOC 1 reports provided after May 1, 2017.

The new requirements have changes the audit practitioners will need to implement, however the biggest changes are on the service organizations, which requires monitoring of their sub-service organizations. The new standard (SSAE18) defines a sub-service organization as, “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting”. This has implications for both the service organization and the User Entity that uses a service organization. The change will require the service organization to have controls for monitoring their sub-service organizations and the User Entity must ensure their SOC report and oversight addresses sub-service organization controls.

In general, a service organization should implement a third party vendor management policy, if one is not in place, and ensure that the policy is in effect. Service organizations, in many cases, will perform due diligence of the sub-service organization initially when they are evaluating which sub-service organization to partner with. However, with the new requirements, it is the service organizations responsibility, to ensure there sub-service organizations are monitored regularly using the methods outlined in the new SSAE-18 standard.

Management’s description of the service organization’s system and the scope of the service auditor’s engagement includes controls at the service organization that monitor the effectiveness of controls at the sub-service organization, which may include some combination of ongoing monitoring to determine that potential issues are identified timely and separate evaluations to determine that the effectiveness of internal control is maintained over time. Such monitoring activities may include:

• reviewing and reconciling output reports,
• holding periodic discussions with the sub-service organization,
• making regular site visits to the sub-service organization,
• testing controls at the sub-service organization by members of the service organization’s internal audit function,
• reviewing type 1 or type 2 reports on the sub-service organization’s system prepared pursuant to this section or section 205, and
• monitoring external communications, such as customer complaints relevant to the services by the sub-service organization.

If you are a User Entity that uses service organizations, a service organization, or a sub-service organization, if you haven’t implemented your new monitoring, oversight and reporting, you should get started. When it’s time to have your new SOC report completed you need to be prepared for the updated SSAE18 requirements!