Digest of AICPA SSAE 18

Service Organization Control (SOC)

AICPA SSAE 18

Statement on Standards for Attestation Engagements 18

In addition to complying with this section, a practitioner is required to comply with section 105, Concepts Common to All Attestation Engagements, and section 205, Examination Engagements.

  • 100 Common Concepts
    • 105 Concepts Common to All Attestation Engagements
  • 200 Level of Service
    • 205 Examination Engagements
    • 210 Review Engagements
    • 215 Agreed-Upon Procedures Engagements
  • 300 Subject Matter
    • 305 Prospective Financial Information
    • 310 Reporting on Pro Forma Financial Information
    • 315 Compliance Attestation
    • 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
    • 395 [Designated for AT Section 701, Management’s Discussion and Analysis
      (AICPA, Professional Standards)]

AT-C Section 320

Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting

Service Organization

An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ internal control over
financial reporting.

User Entity

An entity that uses a service organization for which controls at the service
organization are likely to be relevant to that entity’s internal control over financial
reporting.

Type 1 Report

Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls (referred to in this section as a type 1 report).

Type 2 Report

Management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls (referred to in this section as a type 2 report).

Controls at a Service Organization

The policies and procedures at a service organization likely to be relevant to user entities’ internal control over financial reporting. These policies and procedures are designed, implemented, and documented by the service organization to provide reasonable assurance about the achievement of the control objectives relevant to the services covered by the service auditor’s report.

Control Objectives

The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate.

Leave a Reply