Introduction
Hey there! Have you ever wondered how companies make sure your data is safe when they outsource services like cloud hosting or payroll processing? Well, that’s where SSAE 18 comes into play. It’s like the cape for service organizations and auditors, making sure everything’s secure and in check. Think of it as a major upgrade from the SAS 70 Type II standards, introduced way back in 2002. In this discussion, we will delve into the details of SSAE 18, its purpose, and why it stands as a crucial milestone in assuring the integrity of service organizations and their operations.
What is SSAE 18 ?
SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is a set of auditing standards issued by the American Institute of Certified Public Accountants (AICPA). SSAE 18, also referred to as the Service Organization Control (SOC) report, was initially established under the SAS 70 Type II standards until June 15, 2017. Subsequently, it has been governed by the new SSAE 18 standard from that date onward. Compared to the 2002 introduction of SAS 70 Type II, the revised SSAE 18 represents a more stringent reporting standard. It provides guidelines for auditors to assess and report on controls at service organizations. These controls relate to the security, availability, processing integrity, confidentiality, and privacy of data and systems managed by service organizations on behalf of their clients.
What are the updates and revisions introduced in SSAE 18 Reports?
There are a few significant adjustments that businesses currently engaged in or planning to undertake SOC 1 or SOC 2 assessments should be mindful of this year and in the foreseeable future.
- Service organizations must establish a structured program for managing third-party vendors.
- Service organizations must put in place a formal annual risk assessment procedure.
Your SOC report will now include two additional sections: one detailing the risk assessment process and the other addressing Subservice Organizations’ roles and their impact on controls.
While these components were often part of SOC 2 reports in the past without being formally required, they are now becoming a formal requirement for all SOC reports moving forward.
SSAE 18 expands the scope of entities eligible for SOC 1 audits. It now includes those whose operations, while not financially significant, require compliance with certain laws, regulations, contractual agreements, or agreed-upon procedures. This broadens the range of services that can benefit from third-party validation.
This expansion allows for official, independent reviews of a wide variety of operations, all conducted within a consistent and trustworthy set of auditing and reporting standards.
What is the SSAE 18 Audit Standard?
SSAE 18, which stands for Statement on Standards for Attestation Engagements No. 18, is an audit standard issued by the American Institute of Certified Public Accountants (AICPA). It outlines the guidelines and procedures for auditors when they assess and report on controls at service organizations.
The primary focus of an SSAE 18 audit is to evaluate the effectiveness of controls related to the security, availability, processing integrity, confidentiality, and privacy of data and systems managed by service organizations. These audits are crucial for service providers that handle sensitive information and provide services such as data hosting, cloud computing, payroll processing, and other outsourcing services.
SSAE 18 introduced several significant changes compared to its predecessor, SSAE 16, including the requirement for a detailed system description, the assessment of complementary user-entity controls, and a stronger emphasis on risk assessment.
SSAE 18 is an audit standard that sets the framework for assessing and reporting on controls at service organizations, with a focus on ensuring the security and reliability of the services they provide to their clients.
Who needs the SSAE 18 Report?
The need for an SSAE 18 audit primarily arises for service organizations that provide services to other businesses and organizations. These services often involve handling sensitive data or critical processes for their clients. Here are some examples of service organizations that typically require an SSAE 18 audit:
- Data Centers and Hosting Providers: Companies that offer data hosting, cloud computing, or managed IT services need SSAE 18 audits to assure their clients that their data and systems are secure and available.
- Payroll Processing Companies: Organizations that handle payroll and employee benefits processing on behalf of their clients may undergo SSAE 18 audits to demonstrate the integrity and confidentiality of payroll data.
- Third-Party Administrators (TPAs): TPAs managing employee benefits, healthcare claims, or retirement plans often seek SSAE 18 audits to prove the accuracy and security of their administration processes.
- Financial Services Providers: Companies offering financial services like investment management, fund administration, and custodial services may undergo SSAE 18 audits to ensure the safety and confidentiality of financial data.
- Healthcare Organizations: Entities in the healthcare sector handling electronic health records (EHRs), medical billing, or health information may require SSAE 18 audits to ensure compliance with regulations like HIPAA.
SSAE 18 audits may also be required by organizations that are subject to certain regulations, such as the Sarbanes-Oxley Act (SOX) or the General Data Protection Regulation (GDPR).
In essence, any service organization that wants to provide assurance to its clients about the effectiveness of its controls, especially regarding data security, processing integrity, and confidentiality, may opt for an SSAE 18 audit. These audits help build trust between service providers and their clients by demonstrating that the necessary safeguards are in place to protect sensitive information and ensure the reliability of the services offered.
Difference Between SSAE 18 and SSAE 16:
These differences reflect how SSAE 18 introduced enhancements and more clarity in the audit and reporting process compared to SSAE 16, making it more comprehensive and relevant to a wider range of service organization engagements.
| Aspect | SSAE 18 | SSAE 16 |
| Terminology | Introduced new terminology, such as “system description” and “complementary user-entity controls.” | Relied on older terminology without these specific definitions. |
| Complementary User-Entity Controls. | Requires assessment and reporting on complementary user-entity controls. | Did not emphasize the assessment and reporting of these controls to the same extent. |
| System Description | Demands a more detailed system description, providing a comprehensive understanding of the service organization’s system. | Required a system description but not as detailed and specific as SSAE 18. |
| Subservice Organizations | Provides guidance on evaluating controls at subservice organizations and their impact on the system. | Offered less specific guidance on assessing subservice organizations’ controls. |
| Risk Assessment | Places a greater emphasis on risk assessment, requiring auditors to identify and assess risks relevant to the engagement. | Emphasized risk assessment to a lesser degree. |
| Coverage | Applicable to all service organization reports, not just those with financial reporting controls (SOC 1). | Primarily associated with SOC 1 reports focused on financial reporting controls. |
Is compliance with SSAE 18 Report obligatory?
SSAE 18 is not mandatory in the legal sense. However, it is often required by clients of service organizations. For example, a company that outsources its IT infrastructure to a cloud computing provider may require the provider to obtain an SSAE 18 report to ensure that the provider has adequate controls in place to protect its data and systems.
SSAE 18 compliance may also be required by certain regulations. For example, the Sarbanes-Oxley Act (SOX) requires public companies to have their internal controls audited by an independent auditor. SSAE 18 audits can be used to satisfy this requirement for service organizations that provide services to SOX companies.
Overall, whether or not SSAE 18 compliance is mandatory for your organization depends on your specific circumstances. However, it is an important standard that can help you to attract and retain customers, improve your operational efficiency, and reduce your overall risk profile.
How can companies best prepare for an SSAE 18 report?
Before embarking on the SSAE 18 process, it’s crucial to consider several factors that can ultimately lead to significant time and cost savings. Use the following items as a mini checklist to guide yourself:
- Is the need for an SSAE 18 report driven by a genuine business requirement, or is it primarily a response to external requests?
- Considering that SSAE 18 reports can cost at least $15,000 annually, should you weigh the potential loss of business against the expense of the report?
- Has your company already established well-defined Business Process and IT controls, or will you require assistance in developing and implementing them, necessitating a readiness assessment?
- Have you identified and assessed the controls that impact the outsourced services you offer?
- Lastly, have you clearly defined key stakeholders and ensured their involvement in discussions related to the SSAE 18 process?
Conclusion:
In conclusion, SSAE 18 reports are vital tools for service organizations. They provide clients with assurance about the effectiveness of controls, build trust, and facilitate compliance. While not mandatory for all, the decision to pursue SSAE 18 should be a strategic one, considering business needs, regulatory requirements, and competitive advantages. Ultimately, these reports contribute to transparency, security, and reliability in today’s interconnected business landscape.
