Statement on Standards for Attestation Engagements no. 18 or SSAE 18 is a generally accepted audit standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standard Board (ASB). The SSAE 18 supersedes SSAE 16 and Statement of Auditing Standard (SAS) 70. SSAE 18 has been effective since May 1, 2017.
SSAE-18 is used primarily for attestation engagements, which include financial statement audits, reviews, and other assurance services provided by auditors to assess and report on the reliability and accuracy of financial information, internal controls, and other matters of interest to stakeholders.
It states that it can be applied to almost any subject matter. However, it focuses on the accuracy, completeness, and fairness of financial account reporting. It places greater emphasis on the design and operating effectiveness of controls and includes a focus on subservice organizations. Additionally, SSAE-18 aligns with international standards, making it more globally relevant.
The purpose of this article is to provide you all the relevant information about SSAE 18 and how it affects your organization.
Historical context (SSAE 16 vs SSAE 18)
SSAE-18 replaced its predecessor, SSAE-16, which was issued in 2010. The transition from SSAE-16 to SSAE-18 was driven by the need to align with international standards and address changing business environments.
The difference between SSAE 16 and SSAE 18 includes a shift in terminology (from “Service Organization Controls (SOC) 1” to “SOC 1”), the introduction of new SOC report types (SOC 2 and SOC 3), and a focus on subservice organizations, among other changes.
- It is the set of auditing standards that auditors use to perform attestation engagements, which include SOC (Service Organization Control) reports. SOC reports are the output of attestation engagements conducted in accordance with SSAE-18.
- It provides the framework and requirements for conducting these engagements, while SOC reports are the actual reports that document the results of the assessments.
- SOC reports can be categorized into three types:
- SOC 1: Focuses on controls relevant to a service organization’s clients’ internal control over financial reporting (ICFR).
- SOC 2: Addresses controls related to security, availability, processing integrity, confidentiality, and privacy, often for technology or cloud service providers.
- SOC 3: Provides a summary of the SOC 2 report that can be made publicly available.
Importance of SSAE-18 in modern business:
SSAE-18 plays a crucial role in modern business for several reasons:
a. Trust and assurance
In an era where businesses rely heavily on third-party service providers and outsourcing, SSAE-18 provides assurance to stakeholders, including customers, investors, and regulators, that the service organization has effective internal controls in place. This trust is essential for maintaining business relationships and ensuring the integrity of financial reporting.
b. Compliance
Many businesses are required by regulatory bodies or contractual agreements to undergo SSAE 18 audits, especially if they provide services that impact their clients’ financial reporting. Compliance with SSAE-18 helps organizations meet their legal and contractual obligations.
c. Risk management
SSAE-18 audits help organizations identify and mitigate risks related to financial reporting and data security. By assessing and improving their internal controls, businesses can reduce the risk of financial fraud, data breaches, and operational failures.
d. Competitive advantage
Demonstrating compliance with SSAE-18 standards can be a competitive advantage. It can differentiate a service organization from competitors by showcasing a commitment to security, reliability, and transparency in their operations.
e. Global reach
It aligns with international standards, making it relevant for businesses with a global presence. It allows organizations to demonstrate their commitment to a consistent and high level of control assurance across borders.
Key components of SSAE-18
Key components of SSAE-18 encompass the essential elements that define and structure attestation engagements, ensuring the reliability of control systems.
a. Control objectives
Control objectives are specific goals or outcomes that an organization’s controls aim to achieve. They are defined to address risks and ensure the reliability and integrity of the systems and processes under examination.
For example, in a SOC 1 report, control objectives might pertain to the accuracy of financial transactions, the prevention of unauthorized access to financial data, and the availability of financial systems.
b. Control activities
Control activities are the specific policies, procedures, and practices put in place by the service organization to achieve the control objectives. These activities are designed to ensure that the organization’s controls are effective in mitigating risks and achieving desired outcomes.
Control activities can encompass a wide range of practices, such as access controls, data encryption, backup and recovery processes, and change management procedures.
c. Testing and evidence
Auditors conducting SSAE-18 engagements perform testing procedures to evaluate the effectiveness of the control activities. Testing involves gathering evidence to support the auditor’s conclusions. This evidence may include documentation, observations, inquiries, and the results of sample testing.
Moreover, the evidence collected is used to determine whether the controls are designed effectively (i.e., they are suitable for their intended purpose) and operating effectively (i.e., they are operating as intended over a period of time).
d. Subservice organizations
SSAE-18 places specific emphasis on subservice organizations, which are third-party organizations that provide services to the service organization under examination. These organizations are required to evaluate and report on the controls at subservice organizations that are relevant to the control objectives of the engagement.
This ensures that the end-to-end service delivery chain is assessed for control effectiveness and that any risks associated with subservice organizations are appropriately addressed.
Types of SSAE 18 reports
There are two types of SSAE-18 reports – SSAE Type 1 report and SSAE type 2 report. Let us learn about both of them in some detail.
a. SSAE-18 Type 1 report
An SSAE-18 Type 1 report is a specific type of Service Organization Control (SOC) report that provides an independent auditor’s opinion on the fairness of the presentation of a service organization’s system description and the suitability of the design of the controls in place at a specific point in time.
The primary purpose of a Type 1 report is to assess whether the controls are suitably designed to achieve the stated control objectives as of a specified date. It does not evaluate the operating effectiveness of these controls over a period.
When is it Necessary?
- SSAE-18 Type 1 reports are typically requested by service organizations when they want to demonstrate to their clients and stakeholders that they have implemented controls in their systems as of a specific date.
- These reports are often used as a starting point for clients to assess the design of controls and to gain assurance about the service organization’s commitment to control effectiveness.
b. SSAE-18 Type 2 report
An SSAE-18 Type 2 report is another type of SOC report that goes beyond the Type 1 report. It provides an independent auditor’s opinion on both the fairness of the presentation of the system description and the operating effectiveness of the controls over a period, which is typically a minimum of six months.
The purpose of a SSAE 18 Type 2 report is to assess whether the controls were not only suitably designed but also operated effectively throughout the specified period, offering a more comprehensive evaluation of control performance.
When is it necessary?
- SSAE-18 Type 2 reports are often requested when service organizations want to provide their clients with more in-depth assurance about the effectiveness of their controls over time.
- They are especially important when the controls’ reliability and consistency are critical to the integrity of financial reporting, data security, or other business processes.
c. Differences between SSAE-18 Type 1 and Type 2 reports
| Aspect | SSAE-18 Type 1 Report | SSAE-18 Type 2 Report |
| Scope | Design of controls at a specific point in time | Design and operating effectiveness of controls over a period |
| Time period | Point-in-time assessment | Minimum of six months of control operation |
| Assurance | Assess design only | Assess design and operational effectiveness |
| Use cases | Initial assessments, control design assurance | Ongoing assessments, control performance assurance |
| Audit evidence | Evidence of control design | Evidence of control design and operational effectiveness |
SSAE-18 and regulatory compliance
SSAE-18 was specially upgraded to meet compliance standards. Let’s talk more about how SSAE-18 is related to compliance standards.
How SSAE-18 relates to regulatory compliance (e.g., GDPR, HIPAA)
SSAE-18, while not a regulatory standard itself, plays a critical role in helping organizations demonstrate compliance with various regulatory requirements, such as GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act), among others.
Here’s how SSAE-18 relates to regulatory compliance:
1. Assurance of controls
SSAE-18 assessments, particularly SOC 2 and SOC 3 reports evaluate controls related to security, availability, processing integrity, confidentiality, and privacy (the five trust services criteria). These criteria are often aligned with the requirements of various regulations.
2. Third-Party validation
Regulatory bodies and compliance auditors often require organizations to provide evidence of their control environment. SSAE-18 reports, conducted by independent auditors, serve as third-party validation of control effectiveness and can be used as evidence during regulatory audits.
3. Data protection
For regulations like GDPR, which emphasize data protection and privacy, SSAE-18 assessments can help organizations demonstrate their commitment to safeguarding personal data. This is particularly relevant for data processors and service providers that handle personal data on behalf of data controllers.
4. Healthcare compliance
In the case of HIPAA, service organizations that handle electronic protected health information (ePHI) must comply with stringent security and privacy requirements. SSAE-18 assessments can provide evidence that controls are in place to protect ePHI and ensure compliance with HIPAA’s security rule.
5. Risk mitigation
Demonstrating control effectiveness through SSAE-18 reports can help organizations mitigate risks associated with regulatory non-compliance. It provides assurance to clients, business partners, and regulators that the organization is actively managing risks through robust controls.
Role of SSAE-18 in audit and compliance requirements
It plays a crucial role in fulfilling audit and compliance requirements for both service organizations and their clients:
1. Meeting contractual obligations
Many organizations, especially service providers, have contractual agreements with clients that require them to undergo SSAE-18 audits. These audits help organizations fulfill their contractual obligations and maintain client trust.
2. Compliance reporting
SSAE-18 reports can serve as a basis for compliance reporting to regulatory bodies. For example, a SOC 2 report can be used to demonstrate compliance with data security and privacy requirements to regulators like the European Data Protection Authorities.
3. Risk assessment
Auditors and compliance professionals use SSAE-18 reports as part of their risk assessment processes. They rely on the results of these assessments to evaluate the reliability of service organizations’ controls and make informed decisions about risk management.
4. Vendor management
Organizations that use services from third-party providers, such as cloud service providers, often rely on SSAE-18 reports to assess the security and reliability of those services. These reports are essential for effective vendor risk management.
5. Internal control improvement
The SSAE-18 audit process often identifies areas for control improvement. Service organizations can use the audit findings to enhance their internal controls and align them with industry best practices and regulatory requirements.
In summary, SSAE-18 reports serve as valuable tools for organizations to demonstrate control effectiveness, meet contractual obligations, and provide assurance to clients and regulators that they are managing risks and complying with various regulatory requirements.
Steps to achieving SSAE-18 compliance
The organization must take the following steps to achieve SSAE-18 compliance:
A. Assessing control objectives
- Identify objectives: Begin by identifying the specific control objectives relevant to your organization’s operations. These objectives should address the risks and requirements that are important to your clients and stakeholders.
- Define criteria: Clearly define the criteria and expectations for each control objective. This includes outlining what constitutes a successful outcome and the relevant compliance standards or industry regulations.
- Risk assessment: Conduct a comprehensive risk assessment to identify potential risks and threats to your organization’s operations and data. This assessment will help you tailor your control objectives to address these risks effectively.
B. Documenting control activities
- System description: Prepare a detailed system description that provides an accurate and comprehensive overview of your organization’s processes, systems, and controls. This description should include information about the control environment, control activities, and the roles and responsibilities of personnel.
- Control activities documentation: Document the specific control activities that your organization has implemented to achieve the defined control objectives. This documentation should include policies, procedures, and evidence of controls in action.
- Narrative and flowcharts: Utilize narratives and flowcharts to describe how controls are designed and implemented within your organization. This aids in understanding the control environment and processes.
C. Conducting testing
- Select testing methods: Choose appropriate testing methods to assess the effectiveness of your controls. This may involve testing the design of controls (Type 1) or both design and operating effectiveness (Type 2) over a specified period.
- Sample testing: Select representative samples of transactions, systems, or activities to evaluate the controls. Ensure that the sample size and selection methodology are statistically valid and risk-based.
- Gather evidence: Collect evidence of control performance through various means, including documentation reviews, observations, inquiries, and testing of transactions or data.
- Evaluate results: Analyze the results of control testing to determine whether controls are operating as intended and achieving their objectives. Identify any control deficiencies or areas for improvement.
D. Engaging sub-service organizations
- Identify subservice organizations: Identify any subservice organizations that are part of your service delivery chain. These are third-party entities that provide services critical to your operations.
- Evaluate subservice controls: Assess the controls implemented by subservice organizations that are relevant to your control objectives. Ensure that these controls are suitably designed and operating effectively.
- Obtain subservice reports: Request SSAE-18 or equivalent reports from subservice organizations to review their control environment. This can provide valuable insights into the security and reliability of their services.
- Address risks: Develop strategies to address any risks associated with subservice organizations. This may include contractual agreements, monitoring mechanisms, or contingency plans to mitigate potential disruptions.
Selecting an audit firm
Choosing the right audit firm is a critical step in the SSAE-18 compliance process, as their expertise and objectivity are essential for a successful assessment.
- Evaluate expertise: Choose an audit firm with experience and expertise in conducting SSAE-18 assessments. They should have a track record of conducting similar engagements in your industry.
- Independence and objectivity: Ensure that the audit firm is independent and objective, as their role is to provide an unbiased assessment of your controls.
- Reputation and references: Research the reputation of the audit firm and seek references from organizations they have previously worked with. This can provide insights into their reliability and professionalism.
- Cost and resources: Consider the cost of the audit services and whether the audit firm has the necessary resources to complete the engagement within your timeline.
The SSAE-18 audit process
The SSAE-18 audit process is a systematic and structured approach to assessing the effectiveness and reliability of a service organization’s controls, involving several key phases and responsibilities.
A. Audit planning
- Objective Setting: During the planning phase, the audit team defines the scope, objectives, and goals of the SSAE 18 audit. This includes identifying control objectives, assessing risks, and setting the criteria for evaluation.
- Risk assessment: Auditors conduct a risk assessment to identify potential threats to the effectiveness of controls and the achievement of control objectives.
- Engagement planning: The audit team plans the audit approach, including the selection of testing methods, sample sizes, and procedures for gathering evidence.
- Documentation review: Preliminary reviews of system descriptions and control activities documentation are conducted to gain an understanding of the organization’s control environment.
B. Fieldwork and testing
- Control testing: Auditors perform testing procedures to assess the design and operating effectiveness of controls. This may involve sample testing, inquiry, observation, and review of supporting documentation.
- Sample selection: Statistically valid samples of transactions, data, or activities are selected for testing to evaluate control performance.
- Gathering evidence: Auditors gather evidence of control effectiveness through various means, such as documentation reviews, observations, inquiries, and direct testing.
- Subservice organization assessment: If applicable, auditors evaluate controls at subservice organizations that are relevant to the audit’s scope.
C. Reporting
- Audit opinion: Auditors issue a report that provides their opinion on the fairness of the presentation of the system description and the suitability of the design (Type 1) or design and operating effectiveness (Type 2) of controls.
- Management response: If control deficiencies are identified, management has the opportunity to respond and remediate these issues. The auditor may include management’s response in the report.
- SSAE-18 report types: The report can take the form of a SOC 1, SOC 2, or SOC 3 report, depending on the organization’s objectives and the needs of stakeholders.
- Distribution: The SSAE-18 report is typically provided to the service organization’s clients and may be shared with other relevant parties, depending on contractual agreements.
D. Management’s responsibilities
- Control environment: Management is responsible for establishing and maintaining a suitable control environment, including the design and implementation of controls to achieve control objectives.
- System description: Management provides a comprehensive system description that accurately represents the organization’s processes, systems, and controls.
- Control activities: Management ensures that control activities are appropriately designed and effectively operated throughout the audit engagement period.
- Response to deficiencies: If control deficiencies are identified, management is responsible for developing and implementing corrective actions to address these deficiencies.
E. Auditor’s responsibilities
- Independence and objectivity: Auditors must maintain independence and objectivity throughout the audit process to provide an unbiased assessment.
- Testing and evaluation: Auditors rigorously test controls, gather evidence, and evaluate the design and operating effectiveness of controls.
- Report issuance: Auditors issue a formal report that includes their opinion on the controls assessed, any identified deficiencies, and, if applicable, management’s response to these deficiencies.
- Communication: Auditors communicate findings and observations to the service organization during the audit process and work collaboratively with management to address any issues that arise.
Benefits and challenges of SSAE-18 compliance
| Benefits of SSAE-18 compliance | Challenges of SSAE-18 compliance |
| Enhanced trust and credibility | Resource intensive |
| Competitive advantage | Complexity |
| Risk mitigation | Continuous effort |
| Contractual obligations | Risk of control deficiencies |
| Global relevance | Subservice organizations |
| Auditor independence | |
| Costs |
Final takeaway
In summary, SSAE-18, introduced in May 2017, is a crucial audit standard that has replaced SSAE-16 and SAS 70. It plays a vital role in modern business by fostering trust, ensuring compliance, managing risks, and providing a competitive edge on a global scale.
It’s key components include control objectives, control activities, and testing procedures. It produces two types of reports: Type 1 and Type 2, which assess control design and operational effectiveness over time.
While it offers numerous benefits like enhanced credibility and risk mitigation, it also presents challenges, such as resource intensity and the risk of control deficiencies. Nonetheless, understanding and implementing SSAE-18 compliance is essential for organizations aiming to excel in today’s interconnected business landscape.
Ready to take control of your SSAE compliance? Contact Scrut today and ensure your organization meets the highest standards of control assurance.
FAQs
It is a widely accepted audit standard that supersedes SSAE-16 and SAS 70. It aligns with international standards and addresses evolving business needs, focusing on control assessments and attestation engagements.
It is primarily used for attestation engagements, including financial statement audits, reviews, and assurance services. It assesses and reports on the accuracy, completeness, and fairness of financial information and internal controls.
It is crucial for modern businesses as it assures stakeholders, facilitates risk management, enhances credibility, and helps meet contractual and regulatory requirements. It ensures organizations adhere to global standards of control assurance in an interconnected business environment.
