In April 2016, the AICPA’s Auditing Standard Board (ASB) released a clarified attestation standard for SSAE-18. Although this is a standard guiding the manner through which auditors must report their findings, it impacts any company currently entering into audit engagements for the regulations impacted, including HIPAA and SOC 2.
The Clarity Project, out of which these changes arose, announced the SSAE 18 in April 2016, but it is not expected to be implemented until May 2017. Ken Tysiac of the Journal of Accountancy summarizes the Clarity Project changes as follows:
The attestation standards establish requirements for performing and reporting on examination, review, and agreed-upon procedures engagements that enable practitioners to report on subject matter other than historical financial statements. Examples of this subject matter include an entity’s compliance with laws or regulations, the effectiveness of an entity’s controls over the security of a system, and the fairness of the presentation of a statement of greenhouse gas emissions.
The purpose of these new attestation rules is to make the reports more understandable for clients and to better address the service provided in terms of the company’s needs.
The Clarity Project notes that examination, review, and agreed-upon procedures are the services affected by the restructuring. In addition, while SSAE 18 specifically addresses four subject matters, it does not limit to those four. The Clarity Project states that if a report encompasses the following, it may be subject to SSAE 18:
- the party responsible for the subject matter is someone other than the practitioner and takes responsibility for the subject matter,
- the subject matter is appropriate,
- the criteria to be used in evaluating the subject matter are suitable and available,
- the practitioner expects to be able to obtain the evidence needed to arrive at the practitioner’s opinion, conclusion, or findings, through access to information and unrestricted access to people who can provide such evidence, and
- the practitioner’s opinion, conclusion, or findings are to be contained in a written practitioner’s report.
Despite these changes for auditors, the shift in the SSAE means that additional types of products and services may fall under a SOC 2 review.
In other words, although previously a business didn’t need to do a SAS-70 (now a SOC 2 and soon to be SOC 2+) review, potential customers may require one due to the expanded definitions in the SSAE 18.
These audit reporting changes and expansion of subject matter dovetail with the updates made on ISO 9001:2015. For example, ISO 9001:2015 requires greater responsibility on behalf of top management to ensure that the organization focuses on ongoing improvement. The expanded audit purview matches this by giving an incentive to incorporate an unbiased external auditor to review processes. As such, the redefinitions for organization quality management systems run parallel to the changes in attestation. Moreover, by expanding the scope of the audit review function, the additional level or review ensures that top management is held accountable for its processes development.
While it may seem odd that audit rules would apply to an organization, it also makes sense. As customers increasingly require documentation to support their due diligence with service providers, an audit can serve as a resource for companies to show potential clients their security controls. The expansion of the audit function to engage larger numbers of services while an up-front cost can have long term profit benefits.