As for an SSAE 18 audit definition, look upon Statement on Standards for Attestation Engagements (SSAE) No. 18 as the following:
Attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) addressing engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR). In simpler terms, SSAE 18 is the attestation standard used for reporting on controls at service organizations, one that is part of the American Institute of Certified Public Accountants’ Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports.
But there are numerous other items to learn about regarding SSAE 18, such as the following:
1. SSAE 18 is part of the comprehensive AICPA Service Organization Control (SOC) reporting framework.
2. SSAE 18 reporting – both Type 1 and Type 2 reports – require a description of its “system”, along with a written statement of assertion by management, both of which are critically important.
3. SSAE 18 also brings to the light the relevancy of subservice organization reporting, the internal audit function, and the ICFR concept.
4. SOC 1 SSAE 18 reporting, while the de facto standard for reporting on controls at service organizations - also has viable reporting options under the AICPA SOC framework, such as SOC 2 and SOC 3 reporting, which incorporate the Trust Services Principles (TSP).
5. ISAE 3402 is the international standard (and equivalent) to the AICPA SSAE 16 attestation standard.
As for more technical and in-depth information regarding Statement on Standards for Attestation Engagements (SSAE) No. 16, turn to the experts at NDNB Accountants & Consultants (NDNB), regulatory compliance experts in ISAE 3402, SOC 1 SSAE 18, SOC 2, and SOC 3 reporting.
