Ssae 18 Complementary Subservice Organization Controls

For the carve out method the service organization s description of its system is to include the services performed by the actual subservice.

Ssae 18 complementary subservice organization controls.

Complementary subservice organization controls controls that. It will universally be referred to as a soc report and is effective for reports dated on or after may 1st of 2017. Statement on standards for attestation engagements no. 18 requires the consideration of complementary subservice organization controls which are the controls for portions of the service organization s systems that are outsourced to other service organizations.

Alternatively a subservice organization could also undergo their very own soc 1 ssae 18 type 1 or type 2 engagement in further helping facilitate reporting requirements for the service organization. 15 an examination of an. Complementary subservice organization controls is a new term used to reference subservice organization controls that service organizations rely on to meet the expected control objective. Clarification and recodification supersedes statement on standards for attestation engagements nos.

As of may 1 these engagements specifically ssae nos. What is a subservice organization. The new ssae 18 standard is. Under these circumstances management and the service auditor need to consider the subservice organization controls assumed in the design of the service.

The ssae 18 is a business standard that gives advice on handling services that are provided by subservice organizations. The soc 1 ssae 16 report which provides assurance to auditing personnel about the integrity of your system s controls is being replaced by ssae 18. Additionally the ssae 18 requires the inclusion of defined complementary subservice organization controls when applicable see below for a definition of complementary subservice organization controls. The old ssae 16 standard was based on the requirements and guidance provided by attestation standards section 801 reporting on controls at a service organization.

A subservice organization is simply an outsourcing company to the main service organization. Identifying complementary subservice organization controls ssae18introducestheconceptof complementary subservice organization controls csocs which represents controls that management of the service organization expects will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management s. Within the ssae 18 are the standards the main service organization should aim to achieve. Standards for 18 attestation engagements issued by the auditing standards board attestation standards.

Identify all subservice organizations used in providing the services. Ssae 18 also. Include a description of any subservice organization controls referred to as complementary subservice organization controls that the service organization relies on to provide the primary services to its customers.