SERVICE ORGANIZATION CONTROL ASSESSMENT UNDER NEW AUDIT STANDARD SSAE18

-Rajendra Ponkshe FCA,CISA,CIA, CGEIT

Many companies in IT and financial sector  Managed security : Managing

have resorted to outsourcing of their non access to networks and computing
core business processes to service systems for user entities protecting
organizations for cost effectiveness and against intrusions
availability of expertise for value creation.
One of the critical responsibilities of
Many of these service organizations collect, management and those in governance of
process, transmit, store, maintain and any entity is to identify and assess the risks
dispose of the information for other entities. to the entity and address those risks
The entities that use the services of the through effective internal control. When an
organizations for their business process are entity outsources tasks or business
called user organizations and the processes to a service organization and
organizations delivering such services are becomes a user entity, it replaces many of
called the service organizations. the risks associated with performing those
tasks or functions and how that may affect
Examples of the services provided by the the user entity’s compliance with
service organizations : requirements. Although a task or function is
outsourced, management of the user entity
 Financial services : customer
accounting, processing financial retains responsibility for managing these
transactions on behalf of the risks and needs to monitor the services
customers of a bank or investment provided by the service organization.
company e.g. customer security Monitoring and managing risks related to
transactions, maintaining account outsourced activities by the User entities
records providing customers with can be effectively carried out only if the
confirmation of transactions and relevant information about the system by
statements which the service organization provides
 Sales process automation : services, including the service
Providing and maintaining software organization’s control over that system.
to automate business tasks for user User entity management may also with to
entities that have sales force. E.g. obtain assurance that the system
Tasks like order processing, information provided by the service
information sharing, order tracking, organization is accurate and that the
customer management and service organization actually operates in
employee performance evaluation. accordance with that information.
 Enterprise IT outsourcing services,
Managing, operating and To obtain assurance, user entities often ask
maintaining user entities’ IT Data the service organization to obtain audit
centers, Cloud infrastructure, report on the controls at the Service
application systems and related Organization from the international
functions that support IT activities, accounting firms registered with PCAOB on
such as network, production, the service organization system. Formerly
security, change management, such reports were issued by the audit firms
hardware and environment control under Statement of Auditing Standard 70 or
activities. SAS70 of AICPA. Recently however the

www.ponkshecas.com
 SERVICE ORGANIZATION CONTROL ASSESSMENT UNDER NEW AUDIT STANDARD SSAE18
-Rajendra Ponkshe FCA,CISA,CIA, CGEIT

auditing standard 70 was replaced with o Vendor management programs

Statement on Standard for Attestation o Internal corporate governance and
Engagements No.16 (SSAE 16) and with risk management processes
effect from May 2017 to SSAE 18. The new o Regulatory compliance
standard provides for three different types of
reports from audit firms to serve the 3. SOC-3 report :
different requirements of the user entities. This report is designed and intended to
1. SOC-1 report : This report is intended to cater the needs of a wider range of users
meet the needs of entities that use service who need assurance about the controls at a
organizations services and the auditors of service organization that affect the security,
the user entities who evaluate the effect of availability and processing integrity of the
controls at the service organizational the system used by the service organization to
user entities’ financial statements. User process the data of the User organization.
auditors use these reports to plan and This report is used for general purpose and
perform audits of the user entities financial do not presuppose the user to have
statements. knowledge about the service organization.
The report comprises of written assertion by
2. SOC-2 report : This report is intended to the management regarding suitability of the
meet the needs of a broad range of users design and operating effectiveness of the
who need information and assurance about controls. The report briefly described the
the controls at a service organization that system and its boundaries but does not give
affect the security, availability or processing details provided in SOC-2 report. The SOC-
integrity of the systems that the service 3 report can be freely distributed or posted
organization uses to process users’ data or on a website.
the confidentiality or privacy of the
information processed by these systems. In all the above the management needs to
Examples of the users of these reports perform the following roles :
could be management or suppliers and
- Determine the type of engagement
others who have an understanding of the to be performed , the scope of the
service organization and its controls. The engagement.
report includes detailed description of the - Preparing description of the service
service organization’s system, a written organization’s system
assertion by the management regarding the
- Provide written assertion and
description and the design and operation of representation
the controls and a service auditor’s report in - Providing reasonable basis for its
which the auditor expresses his opinion assertion
whether the controls are suitably designed
and that the description of the system is Criteria for evaluation of Service Organization
fairly presented and the controls are controls :
operating effectively. The report also
The auditor is expected to evaluate the controls
includes the service auditor’s description of
of the service organization mainly covering the
tests performed and results of these tests. following :
The report is useful for following objectives ;

www.ponkshecas.com
 SERVICE ORGANIZATION CONTROL ASSESSMENT UNDER NEW AUDIT STANDARD SSAE18
-Rajendra Ponkshe FCA,CISA,CIA, CGEIT

a. Security : Whether the system is protected organization for general reference of the
against unauthorized access (physical and external users of the information regarding
logical) service organization setup and controls.

b. Availability : Whether the system is available

for operation and use as committed or agreed
or declared in the agreement with user
organization

c. Processing Integrity : Whether System

processing is complete, accurate, timely and
authorized.

d. Privacy : Whether in case in the process of

providing service whether the service
organization collects, uses, retains or discloses
or disposes personal information in conformity
with commitments in the service organization or
user organization’s privacy notice and whether
the controls over privacy adheres to the criteria
for generally accepted privacy principles set
out by AICPA or similar organization.

Further the service organization has to place

before the auditor under above standard a
description of the system which should fairly
represent prevailing system and processes of
the service organization.

The controls over service organization first

should be documented and tested in all the
above four categories of criteria and respect to
each process undertaken in the service delivery
chain. After evaluating of suitability of controls
designed the service organization can obtain
either Type-1 report (for design and suitability) of
controls in operation of Type-2 report (design
suitability and operating effectiveness) of the
controls which should coincide with the reporting
period of the service organization entity.

As a result of the introduction of new standard

now the report of the auditors about controls
implemented by the service organizations has
become more specific e.g, related to controls
over financial reporting of user entity (SOC 1) or
Reporting processing control effectiveness
(SOC 2) for management of the service
organization or user entity. Or General report for
providing trust principles of the service

www.ponkshecas.com