The ASB issued the new SSAE-18 Attest Standard back in April 2016.
For full details, you can downloaded HERE
The SSAE no. 18 standard clarifies all previous SSAEs with the exception of:
- SSAE 15, An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated with an Audit of Its Financial Statements (AT Sec. 501). This standard will move to AU-C 940.
- In AT 701, Chapter 7, it states “Management’s Discussion and Analysis” of SSAE 10, Attestation Standards: Revision and Recodification, which will now be known as AT-C 395.
As a result of the clarified attestation standards, there are several changes which will need to be made to SOC reports. Below are some of the larger changes to take note.
- Service organization will no longer be able to say “in all material respects”, in an effort not to limit its assertion
- Evaluation of criteria, and all required criteria should be included in the management assertion. An explanation of why criteria is not applicable should be included.
- Additional risk assessment evaluation should be provided to enable the service auditor to design and perform appropriate audit procedures
- Complementary sub-service organization controls need to be defined in the report
- Required review of reports issued by internal audit, and any other regulatory examinations
- Completeness and accuracy of any information provided by the service organization under review