The US and UK attestation standards (SSAE vs. ISAE).

The US and UK attestation standards (SSAE vs. ISAE)

Usually, when you look out to get an independent controls attestation for your organization by a third-party service auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE (the UK standard, No. 3402 being the latest one) or the SSAE (the US standard, No. 18 being the latest). In this article, we will touch upon both the standards, their managing authorities, and the key differences which will help you
understand what exactly they are and identify the best one for yourself.

SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting Standards Board). Principally both standards are designed to achieve the same objective in terms of reporting the establishment of effectively designed controls over financial reporting and each service organization may need to provide reports to their clients (user entities) according to different standards. For service organizations catering services within the United States, SSAE18 is best suited. While for the ones providing services outside the US, reporting can be done by the ISAE 3402 standards (termed as a combined report). Further, there are a few key differences when it comes to the performance and reporting style of both standards.

SOC 1 Audit

Below are the major key differences that one should know:

 Investigation of the Intentional Acts Both standards require the investigation of any deviations identified during the testing. They direct the service auditor to investigate the noted deviations that could have been caused by an intentional act of the service organization’s (SO) personnel. The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any actual or suspected intentional acts (like employees committing fraud) that could impact the fair presentation of management’s description of the system. However, ISAE 3402 does not explicitly require auditors to obtain written representations.

 Dealing with Operating Anomalies Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The idea is that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.

 Assistance from Internal Audit Team
SSAE 18 enables the use of direct assistance from the service organization’s internal audit function by the U.S. audit standards guidance. ISAE 3402 does not allow the use of the internal audit function for
direct assistance.

 Subsequent Events SSAE 18 calls out that the service auditor should report any event that could be significant to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.

 SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities & user auditors but does not require a statement restricting its use.

 Acceptance of Engagement and Continuation SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service. However, ISAE 3402 does not require this acknowledgment.

 Disclaimer of Opinion If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can carry out the required action. The SSAE 18 also contains certain incremental requirements for a situation where the auditor plans to deny any opinion.

These requirements are as follows:

1- The identification of any information included in the documentation that is not covered by the service auditor’s report.

2- A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the fulfillment of the control objectives.

3- A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed.

4- A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and the suitability of the control objectives stated in the description.

We believe, that the article what has enhanced your understanding of the two standards and their key differences. Please reach out to us if you still have any queries or for any further information.

The SOC 2 Reporting and COVID-19.

INTRODUCTION – The SOC 2 Reporting and COVID-19.

COVID-19, the most buzzed word these days, is a virus that has not only impacted the health of humans but has also affected almost every industry in the world including organizations (user organizations) relying on other companies (service organizations) to provide their services. Companies have either shifted their staff to remote environments or laid off their workers. Organizations looking for a SOC (System and Organization Controls) report from their service organizations are in a dilemma as to whether they will be able to get a renewed report or not for the COVID year. If your customers and the related stakeholders do not perform SOC reports on a timely basis, it could influence their business objectives.

Further, the entities who issue SOC reports (i.e. independent third-party audit firms), are anxious about how to support the remote attestation of controls during this time when companies have a reduced headcount, decreased revenues, and ceased operations due to government / mandatory requirements to continue operations. Remote assessment of risks and attestation either of internal controls over financial reporting (SOC 1) or AICPA’s trust service criteria (SOC2) without being physically present at
the client location has become a big challenge. However, the business must go on so should the SOC reporting.
In this article, we will be touching upon the considerations that should be taken care of by service & user organizations as well the third-party auditors during the pandemic scenario.

Service Organizations

Service organizations should evaluate their Operations and IT environments to determine if any controls have been impacted.
 The company should examine any impact on the functioning of controls caused by a reduced number of employees and any SoD (segregation of duties) conflicts should be addressed using additional monitoring controls
 The new user provisioning/user termination processes should operate effectively with sufficient authentication of remote users.
 Supplementary guidance on remote work cyber security practices should be communicated to staff working from a remote location.
 Security of applications enabled for remote work should be taken care of along with the implementation of multi-factor authentication (MFA) which should be required for all critical systems.
 Service organizations should discuss the procedures around video conferencing to perform virtual walkthroughs with their service auditors.

User Organizations

As a receiver of the SOC 1 and/or SOC 2 reports, they should have frequent communications with their vendors to discuss whether COVID-19 has impacted their operations, and SOC 2 reports, should have frequent communications with their vendors to discuss whether COVID-19 has impacted their operations and their SOC report. The following things should be considered as one review of the SOC reports where the evaluation period includes the timing of the pandemic.
 The SOC report should be reviewed for any disclosures on changes to the system, operations, or controls due to the impact of COVID-19. An assessment should be done to identify if any change impacts you and your reliance on the SOC report.
 The SOC report should also be reviewed for any exceptions and you can expect to have an increased number of exceptions within your service organizations due to the pandemic. These exceptions and their corresponding impacts should also be evaluated.
 The complementary user entity considerations should be reviewed. Analysis should be done if the service provider has included any additional items due to any changes in the controls or system description.

Learn More to visit Taxation 

Assessors / Auditors

The following key aspects should be considered by the auditor while performing a third-party assessment remotely.

 The risk associated with key personnel should be evaluated and the organization should have adequate personnel available to support critical business and IT functions.
 Changes related to the organizational structure should be assessed and their possible impact on the segregation of duties should be analyzed.
 The organization’s Disaster Recovery and Business Continuity Plans should be evaluated and appropriate changes should be suggested as required in a pandemic situation.
 Keeping in consideration the travel restrictions, Distance Audit methods such as video conferencing should be used to perform virtual walkthroughs like physical security walkthroughs of buildings and data centers to ensure security measures and environmental protection methods are adopted.
 For the controls not operating during the testing period due to the pandemic situation, auditors should simply add an additional rationale in the report explaining the reason. However, the overall report opinion is not modified.

For exceptional cases, an annual control can be rescheduled to occur in future months, as long as it is still within your SOC examination period. In other instances, those activities may be performed virtually. You can also visit the below link to read AICPA articles related impact of COVID-19 on audit and assurance.

Please contact us if you would like to discuss this topic or if you have any queries related to SOC reporting.

How regular you are required to perform a SOC 2 Audit.

How regularly you are required to perform a SOC 2 Audit

Typically speaking (and whereas there’s no onerous and quick rule), SOC two reports are needed annually from service organizations as validation that their controls are designed and operating effectively. The once-a-year rule has been the agreement in this if you conduct your initial SOC two audit in year one, then or so twelve months later, a service organization should give one more report on the operative effectiveness of their controls. It’s a yearly method; as a result, users of a SOC two report (i.e., clients, prospects, etc.) can wish to achieve assurances of a service organization’s management atmosphere every year – at a minimum. You can chat with our experts for SOC Audit Compliance.

Things to understand regarding SOC 2 Reports

Initiate with a Scoping & Readiness Assessment. It’s necessary to perform the associate direct scoping exercise for decisive project scope, gaps that require to be corrected, third parties that reach to be enclosed within the audit, and far additional.

Remediating deficiencies in policies and procedures, security tools and solutions, and operational problems. Together, these three areas will take time – absolute confidence regarding it.

Documentation is critically necessary. After we talk about documentation, we’re talking about policies and procedures requiring it to be in situ. Suppose access management, information backup, incident response, modification management, and more. Does one have policies and procedures in situ for these areas – if not – you’ll have to be compelled to begin documenting them, and now.

SOC 2

Here’s a short list of knowledge security policies and procedures you’ll like for changing into – and staying – SOC two compliant:

1. Access management policies and procedures

2. Data retention and disposal policies and procedures

3 . Incident response policies and procedures

4. Change management policies and procedures

5. Contingency designing

6. Wireless Access

7. Usage policies

Security Tools and Solutions can have to be compelled to be no inheritable. The AICPA SOC framework is changing into additional technical of late, which means that various security tools and solutions are needed for SOC two compliance. Suppose File Integrity watching (FIM), Two-Factor Authentication (2FA), Vulnerability scanning, information Loss hindrance (DLP), and additional. This needs associated investment in each time and cash that several service organizations need to be made aware of when they start the method.

Continuous watching of Controls is essential. There’s an idea known as “continuous monitoring” in situ, which means that somebody must take possession of assessing one’s internal controls on an everyday basis. If not, once the auditors re-appear for the annual SOC two audits, management deficiencies might have arisen – one thing you do not wish.

It’s the Annual associate method. Finished your initial SOC two audit – congratulations – however, detain mind that as a service organization, you’ll be expected to endure associate annual SOC two compliance assessment

The article what has enhanced your understanding of the SOC audit performance. Please reach out to us if you still have any queries or for any further information.

Learn More by visiting Audit/Review/Compilation