When it comes to compliance and regulation standards, it’s crucial to keep your organization up to date with attestation standards. SSAE 18 stands for “Statement on Standards for Attestation Engagements 18.” Simply put, it’s an auditing standard established by the American Institute of Certified Public Accountants (AICPA).

It’s a comprehensive framework that sets an auditing standard and SSAE 18 report for organizations that acts as a service provider to other companies, where they can affect the financial statements of the client. Let’s talk about what an SSAE 18 report is and if it’s the right choice for your business. 

What is SSAE 18’s Purpose?

The purpose of SSAE 18 is to provide a consistent and structured approach for auditors to evaluate the controls, policies, and procedures of service organizations that impact their clients' financial statements. It helps in assessing the reliability and security of organizational control and attestation reports. 

Why Does it Matter?

SSAE 18 matters for business and auditors for several reasons. It will build trust with your clients, ensure you’re in legal and regulatory compliance, give you a competitive advantage in internal control, and improve data security. It will also streamline your SSAE 18 audit to keep your customers happy. 

Key Changes in SSAE 18

In this section, we’re going to discuss SSAE 16 vs. SSAE 18. Changes were made to enhance the audit standards for organizations, such as: 

Clearer Purpose: SSAE 18 extends its scope of engagement to assess controls impacting financial reporting and other operational aspects, providing a broader view compared to SSAE 16's primary focus on financial controls.

Emphasis on Risk Assessment: SSAE 18 places a stronger focus on rigorous risk assessment, providing a robust foundation for evaluations through SSAE 16 updates

Written Assertions: SSAE 18 mandates written assertions by service organizations, enhancing transparency.

Complementary Controls: It evaluates both service organization control and user entity controls, recognizing their interplay.

Structured Opinion: SSAE 18 introduces a structured opinion framework, which simplifies the audit process. 

Cybersecurity Focus: A dedicated cybersecurity risk assessment section is introduced in SSAE 18.

Use of SOC 1 Framework: It allows the use of the SOC 1 framework for reporting on controls over financial reporting, aligning with SSAE 18's objectives.

Scope and Applicability 

Understanding the scope and applicability of SSAE 18 is imperative for those who plan to use it. 

Service Organizations: It should be no surprise that service organizations provide a service to their clients. Those that are using SSAE 18 may provide services such as data hosting to cloud computing which is why they need to ensure compliance with regulations. 

Financial Reporting Impact: The main focus of SSAE 18 is on organizations that have an impact on the financial reporting of their clients, which can affect the accuracy of financial statements. 

Trust Services Criteria: SSAE 18 adopts the Trust Services Criteria, a set of principles and criteria developed by the AICPA, as the yardstick for evaluating controls and processes. These criteria span security, availability, processing integrity, confidentiality, and privacy.

Third-Party Assurance: Organizations can use independent auditors to assess their controls and processes. 

Regulatory Compliance: In some cases, regulatory requirements or contractual obligations may mandate SSAE 18 compliance. 

Variability: The scope and applicability of SSAE 18 varies depending on the organization. So, the decision to undergo SSAE 18 compliance depends on the specific industry requirements, regulatory obligations, and contractual agreements between the org and its client. 

What is the SSAE 18 audit process?

Along with knowing what SSAE 18 is, those who intend to use it should understand the actual audit process as it is very detailed and systematic. 

Engagement Planning 

The audit will begin with an initial meeting where the organization meets with the auditor to make a plan. This is when the scope, objectives, and expectations will be discussed. During the planning stage, the auditor spends time learning the business operations and services provided, to determine what to focus on. 

Risk Assessment

The auditor will also identify any risks and assess them. This can include risks of material misstatement that can affect the internal audit process. Understanding these risks is imperative to an effective SSAE 18 audit plan. 

Examination of Controls

The auditor then performs control testing where they examine all controls already in place. This includes assessing the design of controls and their operating effectiveness. This is done to ensure everything is functioning as it should. 

Written Assertions

The service organization provides written assertions about the description of its system, the suitability of the design of controls, and the operating effectiveness of controls. These assertions are essential for the audit process.

Reporting

The auditor issues a report, either a "Type 1" or "Type 2," based on the scope. 

Type 1 Report: A "Type 1" report provides an opinion on the suitability of the design of controls in place at a specific point in time.

Type 2 Report: A "Type 2" report provides an opinion on both the design and operating effectiveness of controls over a specified period. This report is generally considered more comprehensive.

Client Considerations (If Applicable)

If the report is going to be sent to clients, their needs and expectations need to be considered since they may be part of their financial statement audit. 

Ongoing Monitoring

Once the audit is complete, the organization must continue to maintain the controls to ensure effectiveness. 

What are the benefits and importance of SSAE 18?

Other than being a legal necessity in some organizations, there are many benefits to SSAE 18, such as: 

  • Client assurance
  • Transparency
  • Data security and privacy assurance 
  • Regulatory compliance 
  • Competitive advantage
  • Operational efficiency
  • Risk mitigation
  • Investor and stakeholder confidence

SSAE 18 vs. Other Audit Standards

To make an informed choice about which standard to apply, it's essential to understand the nuances of each and when and where SSAE 18 is most appropriate. 

Use SSAE 18 when you need a comprehensive evaluation of controls impacting financial reporting and operational aspects. It's especially important in the digital age due to its cybersecurity emphasis.

Opt for SOC 1 audit when you need to assess financial controls specifically. This is most appropriate for organizations where financial reporting is the primary concern in a SOC report.

Choose SOC 2 audit when data security, availability, processing integrity, confidentiality, and privacy controls are the central focus. It's best suited for service organizations where these aspects are critical.

Avoid using SSAE 16 as it's considered outdated compared to the enhanced clarity and structure offered by SSAE 18.

Have questions? Contact RiskRecon by Mastercard today to understand your cyber risk portfolio, categorize third-party risks, and have better peace of mind.