Key Takeaways
SSAE No. 21 Expands Direct Assessments: This statement introduces new guidance (AT-C Section 206) to enable assessors to issue opinions on a wider variety of direct assessments. This allows for the assessment of emerging or industry-specific security and operational criteria not previously covered, increasing flexibility in SOC reporting.
SSAE No. 22 Promotes Transparency in Review Engagements: This update clarifies the objective of a review engagement—to obtain limited assurance—and requires practitioners to detail the specific procedures performed to achieve that assurance, enhancing transparency for report users.
Adverse Opinion in Review Engagements: SSAE No. 22 now explicitly allows an assessor to issue an adverse opinion during a review engagement if there is insufficient evidence or if the subject material is not communicated in line with established guidelines.
Understanding SSAE No. 21 & SSAE No. 22
It can be a challenge to keep up with all the changes to compliance standards and reporting. It’s important that your assessor has the knowledge to help your service organization navigate the ever-evolving world of SOC* compliance. Let’s take a look at two recent changes, SSAE No. 21 & SSAE No. 22.
SSAE No. 21 Key Points
SSAE No. 21 adds a new section (AT-C Section 206) to the reporting standards that provides your assessor with additional direction as it relates to direct assessments. Practitioners would be able to provide an assessment opinion for measurements on both financial and non-financial topics related to relevant criteria.
This change is meant to help assessors be more flexible to the changing security landscape, and allow for assessment of evolving technologies, providing a third-party assessment of things that are very specific to your industry.
Along with the new guidance on direct assessments, SSAE No. 21 also adds clarification for specific terms in AT-C Section 105, Concepts Common to All Attestation Engagements.
This amendment will be effective for reports dated on or after June 15, 2022. The AICPA has made the guidelines available for practitioners to prepare for implementation.
Learn more: AICPA SSAE No. 21 at a Glance
Speak to a Compliance Specialist.
SSAE No. 22 Key Points
SSAE No. 22 is meant to add additional transparency to review engagements. Typically, during a review engagement, the assessor is provided with a limited assurance that specified controls meet necessary guidelines. This update does 3 main things:
- It offers clarity to practitioners on the purpose of a review engagement – that it is meant to obtain a limited assurance, not that it is necessary to complete analysis of the assertion.
- It promotes transparency by detailing the procedures completed in order to obtain the limited assurance.
- It allows an assessor to issue an adverse opinion in the event that the subject material is not communicated in accordance with the guidelines or there is insufficient evidence.
This amendment will be effective for reports dated on or after June 15, 2022. The AICPA has made the guidelines available for practitioners to prepare for implementation.
Learn more: AICPA SSAE No. 22 at a Glance
Choose an Experienced SOC* Partner
When it comes to your SOC* assessment, it’s important to have a partner you can trust. With over 2,500 compliance reports completed, our assessment team has the industry expertise you need to take your compliance goals from overwhelming to under control. Contact a specialist today to learn about our simple SOC process.
Additional Resources
FAQs
What is the primary focus of SSAE No. 21 and what is its effect on compliance reporting?
SSAE No. 21 introduces new guidance for direct assessments (AT-C Section 206). This allows the assessor to provide an opinion on subject matter related to relevant criteria for both financial and non-financial topics, thereby increasing the flexibility and scope for providing third-party assessment opinions on new and evolving technologies.
How does SSAE No. 22 change the nature of a review engagement?
SSAE No. 22 clarifies that a review engagement is primarily intended to obtain limited assurance, not to perform a complete analysis of an assertion. Crucially, it promotes greater transparency by requiring the assessor to detail the procedures performed to obtain that limited assurance for the user.
When did these new SSAE standards become effective for SOC reporting?
Both SSAE No. 21 and SSAE No. 22 became effective for reports dated on or after June 15, 2022. Service organizations and their assessors had a period to prepare for the implementation of the new guidelines.
What is the significance of the adverse opinion allowance in SSAE No. 22?
The allowance for an adverse opinion in a review engagement emphasizes accountability. It empowers the assessor to formally state when the necessary level of assurance cannot be achieved, either due to a lack of sufficient evidence or because the subject matter was not presented in accordance with the required guidelines.
About the Author
