SERVICE ORGANIZATION CONTROL ASSESSMENT UNDER NEW AUDIT STANDARD SSAE18
-Rajendra Ponkshe FCA,CISA,CIA, CGEIT
Many companies in IT and financial sector
have resorted to outsourcing of their non
core business processes to service
organizations for cost effectiveness and
availability of expertise for value creation.
Many of these service organizations collect,
process, transmit, store, maintain and
dispose of the information for other entities.
The entities that use the services of the
organizations for their business process are
called user organizations and the
organizations delivering such services are
called the service organizations.
Examples of the services provided by the
service organizations :
 Financial services : customer
accounting, processing financial
transactions on behalf of the
customers of a bank or investment
company e.g. customer security
transactions, maintaining account
records providing customers with
confirmation of transactions and
statements
 Sales process automation : services,
Providing and maintaining software
to automate business tasks for user
entities that have sales force. E.g.
Tasks like order processing,
information sharing, order tracking,
customer management and
employee performance evaluation.
 Enterprise IT outsourcing services,
Managing, operating and
maintaining user entities’ IT Data
centers, Cloud infrastructure,
application systems and related
functions that support IT activities,
such as network, production,
security, change management,
hardware and environment control
activities.
www.ponkshecas.com
 Managed security : Managing
access to networks and computing
systems for user entities protecting
against intrusions
One of the critical responsibilities of
management and those in governance of
any entity is to identify and assess the risks
to the entity and address those risks
through effective internal control. When an
entity outsources tasks or business
processes to a service organization and
becomes a user entity, it replaces many of
the risks associated with performing those
tasks or functions and how that may affect
the user entity’s compliance with
requirements. Although a task or function is
outsourced, management of the user entity
retains responsibility for managing these
risks and needs to monitor the services
provided by the service organization.
Monitoring and managing risks related to
outsourced activities by the User entities
can be effectively carried out only if the
relevant information about the system by
which the service organization provides
including the service
organization’s control over that system.
User entity management may also with to
obtain assurance that the system
information provided by the service
organization is accurate and that the
service organization actually operates in
accordance with that information.
To obtain assurance, user entities often ask
the service organization to obtain audit
report on the controls at the Service
Organization from the international
accounting firms registered with PCAOB on
the service organization system. Formerly
such reports were issued by the audit firms
under Statement of Auditing Standard 70 or
SAS70 of AICPA. Recently however the
 SERVICE ORGANIZATION CONTROL ASSESSMENT UNDER NEW AUDIT STANDARD SSAE18
auditing standard 70 was replaced with
Statement on Standard for Attestation
Engagements No.16 (SSAE 16) and with
effect from May 2017 to SSAE 18. The new
standard provides for three different types of
reports from audit firms to serve the
different requirements of the user entities.
1. SOC-1 report : This report is intended to
meet the needs of entities that use service
organizations services and the auditors of
the user entities who evaluate the effect of
controls at the service organizational the
user entities’ financial statements. User
auditors use these reports to plan and
perform audits of the user entities financial
statements.
2. SOC-2 report : This report is intended to
meet the needs of a broad range of users
who need information and assurance about
the controls at a service organization that
affect the security, availability or processing
integrity of the systems that the service
organization uses to process users’ data or
the confidentiality or privacy of the
information processed by these systems.
Examples of the users of these reports
could be management or suppliers and
others who have an understanding of the
service organization and its controls. The
report includes detailed description of the
service organization’s system, a written
assertion by the management regarding the
description and the design and operation of
the controls and a service auditor’s report in
which the auditor expresses his opinion
whether the controls are suitably designed
and that the description of the system is
fairly presented and the controls are
operating effectively. The report also
includes the service auditor’s description of
tests performed and results of these tests.
The report is useful for following objectives ;
www.ponkshecas.com
-Rajendra Ponkshe FCA,CISA,CIA, CGEIT
o Vendor management programs
o Internal corporate governance and
risk management processes
o Regulatory compliance
3. SOC-3 report :
This report is designed and intended to
cater the needs of a wider range of users
who need assurance about the controls at a
service organization that affect the security,
availability and processing integrity of the
system used by the service organization to
process the data of the User organization.
This report is used for general purpose and
do not presuppose the user to have
knowledge about the service organization.
The report comprises of written assertion by
the management regarding suitability of the
design and operating effectiveness of the
controls. The report briefly described the
system and its boundaries but does not give
details provided in SOC-2 report. The SOC-
3 report can be freely distributed or posted
on a website.
In all the above the management needs to
perform the following roles :
- Determine the type of engagement
to be performed , the scope of the
engagement.
- Preparing description of the service
organization’s system
- Provide written assertion and
representation
- Providing reasonable basis for its
assertion
Criteria for evaluation of Service Organization
controls :
The auditor is expected to evaluate the controls
of the service organization mainly covering the
following :
 SERVICE ORGANIZATION CONTROL ASSESSMENT UNDER NEW AUDIT STANDARD SSAE18
-Rajendra Ponkshe FCA,CISA,CIA, CGEIT

a. Security : Whether the system is protected organization for general reference of the
against unauthorized access (physical and external users of the information regarding
logical) service organization setup and controls.

b. Availability : Whether the system is available

for operation and use as committed or agreed
or declared in the agreement with user
organization

c. Processing Integrity : Whether System

processing is complete, accurate, timely and
authorized.

d. Privacy : Whether in case in the process of

providing service whether the service
organization collects, uses, retains or discloses
or disposes personal information in conformity
with commitments in the service organization or
user organization’s privacy notice and whether
the controls over privacy adheres to the criteria
for generally accepted privacy principles set
out by AICPA or similar organization.

Further the service organization has to place

before the auditor under above standard a
description of the system which should fairly
represent prevailing system and processes of
the service organization.

The controls over service organization first

should be documented and tested in all the
above four categories of criteria and respect to
each process undertaken in the service delivery
chain. After evaluating of suitability of controls
designed the service organization can obtain
either Type-1 report (for design and suitability) of
controls in operation of Type-2 report (design
suitability and operating effectiveness) of the
controls which should coincide with the reporting
period of the service organization entity.

As a result of the introduction of new standard

now the report of the auditors about controls
implemented by the service organizations has
become more specific e.g, related to controls
over financial reporting of user entity (SOC 1) or
Reporting processing control effectiveness
(SOC 2) for management of the service
organization or user entity. Or General report for
providing trust principles of the service

www.ponkshecas.com