What is SSAE 18? (Is it Still Required in 2024)

Meeba Gracy

Meeba Gracy

Oct 02, 2024
SSAE 18

Most businesses today rely on the cloud, and it can be challenging to ensure that data – whether it’s payroll information, cloud files, or other sensitive material – remains well-protected and organized. 

That’s where the American Institute of Certified Public Accountants (AICPA) comes in with its SOC 1 attestation requirements. Originally codified under forms like SSAE 18 and SSAE 16 but now updated by SOC 1, these regulations provide an assurance that a company is overseeing operations responsibly. 

In this article, let’s dive deeper into what SSAE 18 is and whether it is still required.

What is SSAE 18?

Statement on Standards for Attestation Engagements 18 (SSAE 18) was established by The American Institute of Certified Public Accountants (AICPA). The organization’s Auditing Standards Board formulated it to evaluate service companies. 

What Is SSAE 18?

If a business provides services that could influence another company’s financial statements, they can request an audit to comply with SSAE 18’s regulations and standards.

SSAE No. 18 sets out clear standards for Certified Public Accountants (CPAs) to follow when performing attestation engagements, ensuring their reporting on financial information is accurate and trustworthy. 

The Purpose of SSAE 16

Published by the AICPA, the purpose of SSAE 16 was to provide a comprehensive framework for assessing the internal controls over financial reporting (ICFR) of service organizations. This assures the customer or users of these services that there are relevant financial reporting controls in place.

However, In 2016, AICPA replaced the SSAE No. 16 with SSAE No. 18. The SSAE 18 is simple, it wasn’t just designed for SOC 1 audits.
In fact, the new standard covers an expanded range of attestation services, including SOC 2 audits which offer deeper insights for organizations looking to understand their financial quality, security, confidentiality during operation, availability, and privacy capabilities. 

This shift from SSAE 16 to 18 clarified how organizations measure and report on their service performance.

Get SOC 2 compliant in weeks with Sprinto

AICPA’s Auditing Standards board focuses on the controls over information systems and financial reporting, giving CPAs all the tools they need to assess whether the report matches what their clients disclose. 

What is the difference between SSAE 18 and SSAE 16?

The main difference between SSAE 18 and SSAE 16 is that SSAE18 supersedes SSAE 16 as of May 1, 2017. While SSAE 16 is primarily focused on SOC 1 reports that impact customer’s financial reporting, SSAE 18 integrates and includes all previous AICPA’s standards to go beyond SOC 1 and cover other attestation reports.

Here are the 6 key differences in detail:

  • The long-standing SSAE-16 Standard has been rebooted and updated to the new SOC acronym. Instead of Service Organization Control, it now stands for System and Organizational Controls–enabling companies everywhere to apply this comprehensive framework at both system AND entity levels!
  • The SSAE-16 Standard previously included complementary user-entity controls that were both necessary and unnecessary in achieving management’s stated objectives. However, the newly implemented SSAE 18 standard has adjusted this definition to encompass only those controls required for control objectivity fulfillment as laid out by management.
  • The new SSAE-18 Standard emphasizes risk assessment, with stricter requirements focused on the evaluation of external control processes in user-entities and subservice organizations.
  • SSAE-18 has strengthened the requirements for a Management Assertion letter by mandating that it must now be signed and accepted as responsible for an organization’s description. The previous SSAE 16 Standard required management to provide its assertion, but the signing needed to be revised.
  • The new SSAE-18 Standard has revolutionized reporting language, introducing revisions that adapt to the ever-changing external environment and factors in user-entity and subservice organization controls. The Management Assertion Letter and Service Auditor’s report are now reflective of these developments, providing an unprecedented level of accuracy for stakeholders.
  • Adopting the new SSAE-18 Standard brings a shift in expectations for controlling how organizations rely on sub-service providers. 

Complementary Subs Organization Controls and Vendor Management Processes enable entities to keep close tabs over their service provider relationships and guarantee control objectives stated in management’s description are met to maximum efficiency levels. These vendor monitoring activities include:

  • Reviewing and reconciling output reports 
  • Holding periodic discussions with the subservice organization
  • Testing controls at the subservice organization by members of the service organization’s internal audit department
  • Reviewing type 1 or type II reports on the subservice organization’s system and monitoring external communications ( customer complaints relevant to the services provided by the subservice organization)

Is SSAE 18 still relevant to organizations?

Yes, SSAE 18 is still relevant. On May 1, 2017, the new SSAE-18 standard, “Concepts Common to All Attestation Engagements” was established to replace the long-standing SSAE-16 Standard. 

SSAE 18 and SSAE 16

Many professional services organizations have taken note of the change, recognizing that the new SSAE-18 was created with the user in mind and is based on recent requirements and guidance provided by Attestation Standards section 320. 

With the implementation of SSAE-18, users can now rest assured knowing that organizations are held accountable for providing high-quality support for internal control over financial reporting.

How to prepare for SSAE 18?

By now you know the main changes that took place in SSAE 18. So, here’s what you need to do to prepare for SSAE 18 so that you don’t look at the ceiling and sigh when the time comes for an official audit.

Here are the 3 implementation steps of SSAE 18:

Emphasis on Risk Assessment and Responsibility 

With this new standard, you are now required to conduct a risk assessment when completing your SOC report. You need to understand the concept of “risk of material misstatement” and its consequences. 

Risk of material misstatement occurs when the subject matter and/or management’s assertion as element(s) of the SOC report needs correct representation, which could lead to major implications. 

In fact, this responsibility was traditionally that of the service auditor; however, this duty has now been shifted to the responsible party – the organization. 

This way you can take ownership by proactively assessing risks associated with the control objectives and controls you create. This in turn promotes accountability among organizations while providing a safe system audit framework that increases transparency and trust.

Every organization is unique, and, as a result, its risk assessment processes will vary in small yet important ways. 

As you prepare your management team to develop an approach, it is important to ask the right questions to identify any potential risks that could cause financial loss or inaccurate reporting. The questions include:

  • Who is your audience?
  • What actions could result in financial loss and the disclosure of sensitive information should be addressed for a more comprehensive review?
  • What action(s) could result in disruption and prolonged disruption to daily operations?

Also, check out: SOC 2 report examples

Vendors vs. Subservice Organizations  

Many businesses rely either on vendors or subservice organizations. Although the use of these entities is not new, it is important to recognize that the differences between a vendor and a subservice organization are vast enough to catalyze a significantly different level of review.

A subservice organization is considered an entity used by another service provider to help render the services outlined in their SOC report. As such, they have considerable authority regarding establishing controls within their customer’s systems. 

On the other hand, vendors primarily supply products or services not directly related to providing customers with their outlined services in their report. 

Therefore, understanding the difference between a vendor and a subservice organization can ensure you meet quality assurance standards for your customer’s benefit.

It doesn’t just stop there, reviewing a vendor’s services and controls thoroughly is key to determining if they are a subservice organization relevant to SOC1.

Ask yourself, is the vendor’s function part of the system description, or do their services enable the stated controls to operate effectively? 

Answering yes to these questions signals that the vendor should indeed be included in your SOC 1 assessment.

This can help you identify potential risks and develop stronger internal controls over financial reporting for your user base. Of course, ensuring you meet regulatory requirements is always the priority!

SSAE 18 Preparation tips:

  • Make sure that you’ve got all of the right information and that everyone is on the same page for any new control or process change. 
  • Consider having as many meetings as it takes to get it right. To accomplish this, management must meet with the auditors, department lead, and main employees responsible for the process and anyone else who could lend valuable insights. 
  • Discuss what makes sense for the control and how it should be implemented while reviewing input from other participants.
  • Double-check with those carrying out the tasks to ensure that it accurately reflects their workflow before finalizing. 
  • Invest time in getting controls locked down before testing starts is extremely valuable. People often try to speed this process up and slack on it, leaving many open items that could easily blow up into a huge problem upon testing. When the control isn’t 100% agreed upon before testing, and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to reflect the process accurately. 
  • Investing some extra effort upfront in locking down your processes correctly before having them tested against the SSAE 18 standard.

Follow through in this manner, and rest assured that your controls are up to snuff!

Benefits of SSAE 18

The benefits of SSAE 18 are as follows:

Benefits of SSAE 18
  • SSAE 18 compliance simplifies auditing by providing a standardized framework for assessing controls. This makes it easier and faster to audit different organizations, reducing the cost and complexity associated with audits.
  • By following SSAE 18 guidelines, you can gain better visibility into your systems and controls. This helps organizations understand how their systems operate and identify potential improvement areas.
  • Following SSAE 18 standards demonstrates an organization’s commitment to compliance and can help them easily meet statutory requirements. It also reduces the risk of non-compliance, which can result in financial penalties and other negative consequences.

Check Out Sprinto!

Overall, SSAE 18 is important because it provides guidance to organizations on how to comply with the requirements of the SOC 2 report. However, you don’t have to do everything manually!

Check out Sprinto, an automated compliance platform that helps you get compliant easily. With our end-to-end process, you can customize major & minor functions and be rest assured that your compliance program is on autopilot. 

Join Sprinto’s 450+ satisfied compliance conquerors

With Sprinto you can continuously monitor your compliance posture to ensure smooth sails.

Speak to one of our experts today for an effortless journey toward regulatory approval!

FAQs

Is SSAE 18 the same as SOC 1?

The SSAE 18 and SOC 1 audits are frequently used interchangeably or together, but for clarity, it’s best to remember that the SSAE 18 is actually a professional AICPA standard that requires licensed CPA firms to issue both SOC 1 Type 1 and Type 2 reports.

Is SSAE 18 the same as SOC 2?

SOC 2 is formulated by AICPA, and the CPAs are knowledgeable enough to review the results accurately. An SSAE 18 audit is like a SOC 2 but does not supply an identical level of detail.

Who is subject to SSAE 18?

Suppose your business renders external services that have an impact on the financial records of another organization. In that case, you might be required to submit a SOC 1 Type II Report – particularly if the User Organization is publicly traded.

What does SSAE stand for?

SSAE stands for Statement on Standards for Attestation Engagements. It was developed by the AICPA.

Meeba Gracy
Meeba Gracy
Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

How useful was this post?

1/5 - (1 votes)