As for an SSAE 18 audit definition, look upon Statement on Standards for Attestation Engagements (SSAE) No. 18 as the following:
Attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) addressing engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR). In simpler terms, SSAE 18 is the attestation standard used for reporting on controls at service organizations, one that is part of the American Institute of Certified Public Accountants’ Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2, and SOC 3 reports.
But there are numerous other items to learn about regarding SSAE 18, such as the following:
1. SSAE 18 is part of the comprehensive AICPA Service Organization Control (SOC) reporting framework.
3. SSAE 18 also brings to the light the relevancy of subservice organization reporting, the internal audit function, and the ICFR concept.
4. SOC 1 SSAE 18 reporting, while the de facto standard for reporting on controls at service organizations - also has viable reporting options under the AICPA SOC framework, such as SOC 2 and SOC 3 reporting, which incorporate the Trust Services Principles (TSP).
5. ISAE 3402 is the international standard (and equivalent) to the AICPA SSAE 16 attestation standard.
As for more technical and in-depth information regarding Statement on Standards for Attestation Engagements (SSAE) No. 16, turn to the experts at NDNB Accountants & Consultants (NDNB), regulatory compliance experts in ISAE 3402, SOC 1 SSAE 18, SOC 2, and SOC 3 reporting.
As for Items 6 through 10 of the SOC 1 SSAE 18 audit checklist, please note the following:
6. Assign roles and responsibilities to internal personnel. Again, another concept that sounds relatively straightforward, yet challenges often arise when deliverables come due. From answering SOC 1 SSAE 18 readiness questionnaires offered up by CPA firms, to gaining valuable audit evidence, roles and responsibilities need to be clear and transparent.
7. Assist in authoring the final report. The actual deliverable for a SOC 1 SSAE 18 engagement is known as the Service Auditor’s Report, a lengthy document that highlights numerous operational and business process activities undertaken by the service organization. This is technically known as the description of the “system”, and service organizations are required to produce one. Look upon the description of the “system” as the following: the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities. The key to authoring a well-written and comprehensive description of one’s “system” is to work with a CPA firm specializing in SOC 1 SSAE 18 compliance, such as NDNB.
8. Provide a written statement of assertion. Along with the description of its “system”, management of the service organization must also provide a written statement of assertion as part of its SOC 1 SSAE 18 reporting requirements. The “assertion” – as it’s commonly called – is essentially a document for which the service organization is asserting to a number of essential clauses and provisions regarding the SOC 1 SSAE 18 assessment process itself. Your CPA firm conducting the engagement can provide you with a written statement of assertion template. Interestingly, the assertion was never a requirement with the previous SAS 70 auditing standard, which had been in place for approximately twenty (20) years (April, 1992 to June 15, 2011), but it became a requirement for SSAE 16, and continues on for SOC 1 SSAE 18.
9. SSAE 18 is a moving target, so plan accordingly. SSAE 18 is not a "one and done" concept, sure, the actual SOC 1 SSAE 18 Type 2 assessment may only be done once a year, but service organizations should strive to conduct activities on a quarterly basis for assisting with one's compliance mandates. Specifically, gathering audit evidence and working with your external CPA firm conducting the annual assessment is a smart move, one that results in efficiency for both sides. Talk to your CPA and establish quarterly milestones throughout the year for your annual SOC 1 SSAE 18 Type 2 report.
10. Determine the appropriate users of the report. In recent years, there’s been much debate on who can obtain a SOC 1 SSAE 18 report – and more importantly – what part of the report should be distributed. Generally speaking, only “intended users” should be given access to a SOC 1 SSAE 18 report – and even then – only a brief summary, such as the auditor “opinion page” should be released. However, many “intended users” prefer or even demand access to the entire report. The point is to readily assess your client’s demands regarding SSAE 16 reporting, and what specifically they expect to receive in terms of reporting.
Read Part I of the SOC 1 SSAE 18 audit checklist.
Service organizations would highly benefit from having a comprehensive SOC 1 SSAE 18 audit checklist – one that essentially assists in the preparation of planning for a Type 1 or Type 2 assessment by a CPA firm. As such, take note of the following SSAE 16 audit checklist, provided by NDNB Accountants & Consultants (NDNB), a nationally recognized IR CPA firm.
2. Gain a strong understanding of SOC 1 SSAE 18. Learning about the “who, what, when, where, and why” of SOC 1 SSAE 18 ultimately allows you to ask thoughtful, intelligent questions to CPA firms proposing, while providing useful information to senior management within one’s organization. A great place to learn essentially everything you need to know about SOC 1 SSAE 18 audit requirements is the official SOC Report Resource Guide, developed exclusively by NDNB Accountants & Consultants. Learn about the background of SOC 1 SSAE 18, types of reporting options, planning and scope considerations, along with literally dozens of other critical topics – it’s all available – and free – at the official SOC Report Resource Guide.
3. Determine engagement scope. A very important part of planning for a SOC 1 SSAE 18 Type 1 or Type 2 assessment is unearthing the essential boundaries of the engagement itself – specifically – the following:
(1). Are there any prior reporting assessments that were conducted (i.e., a recent SSAE 18 report or a even more recent SOC 1 SSAE 18 report) that can assist in properly scoping the engagement?
(2). what control objectives and related controls will be used in forming the basis for SOC 1 SSAE 18 reporting and do they meet the stated requirements set forth by user entities for reporting purposes?
(3). Have all relevant and material subservice organizations been identified, and if so, will the “carve-out method” or the “inclusive method” be used regarding these entities?
(4). as for physical locations, how many are to be included within the scope of a SOC 1 SSAE 18 engagement? (5). what is the relevant testing period that will be used for SOC 1 SSAE 18 reporting? (6). what personnel at the service organization itself will be involved in facilitating the entire SOC 1 SSAE 18 audit process? These are high level questions and statements that can essentially be further refined for building one’s own SOC 1 SSAE 18 audit checklist.
4. Conduct an internal SOC 1 SSAE 18 Readiness Assessment. Once the scope of the audit has been clearly identified and agreed upon, it’s time to examine the respective control environments for purposes of identifying any possible areas of remediation, which can include any number of issues, such as the following:
• Lack of documented and formalized policies and procedures for many pertaining to the SOC 1 SSAE 18 assessment itself, particularly regarding information security documentation.
• Weak enforcement of procedural based activities, such as opening formalized change request tickets, trouble tickets, etc. for any relevant issues.
• Lack of audit evidence itself, as many systems simply fail to keep logging and audit trails for acceptable minimum periods.
• Poorly provisioned systems that can often lead to network vulnerabilities and other exploits.
5. Remediate areas of concern. It’s perfectly acceptable actually “remediate” areas that require remediation – after all – it’s why organizations conduct SSAE 16 Readiness Assessments prior to the actual audit itself. The key is to truly remediate the findings, correct the deficiencies – ultimately improving one’s control environment. What good is remediation if the areas of concern are flagged, yet little or no attention is given to them for correcting the problems? Not only would receiving an “unqualified” (i.e., clean) opinion for the SOC 1 SSAE 18 be a real challenge, one’s control environment would still be exhibit material deficiencies. It’s a no win situation, so remediate!
Read Part II of the SOC 1 SSAE 18 audit checklist whitepaper.
Provide a Written statement of assertion by management. Management of the service organization must also provide a written statement of assertion to the actual practitioner (i.e., CPA) performing the SOC 1 SSAE 18 Type 1 or Type 2 engagement. This written assertion requires management to effectively assert to a number of provisions relating to the actual SSAE 18 standard and the overall assessment process. The written assertion is a new requirement for service organization reporting, something that was not a part of the SAS 70 auditing standard, which was in use from April, 1992 to June 15, 2011, but was in use with the SSAE 16 auditing standard. NDNB Accountants & Consultants can provide service organizations with a template to use, which can also be found within many of the AICPA publications, available at cpa2biz.com.
Learn about Subservice organization reporting. Subservice organization reporting comes into play essentially when one service organization utilizes the services of another service organization, hence, creating subservice organization reporting requirements. Thus, the “inclusive” and “carve-out” methods are used for reporting on these very subservice organizations for purposes of SOC 1 SSAE 18 Type 1 and Type 2 compliance.
Consider the Internal Audit Function. Many service organizations have internal operational staff (or even outsourced auditors) that assist in many day-to-day internal audit functions. This is important to note as the internal audit function itself can become an important component of SOC 1 SSAE 18 audit requirements – provided certain criteria has been met, such as the following:
• The objectivity along with the overall competency of the group (technical and professional competency.
• Is due professional care used when the work is being performed by the internal audit function?
• Can the internal audit function of the service organization effectively communicate with the service auditor in a transparent and professional manner for helping facilitate the SOC 1 SSAE 18 engagement?
Other topics of Interest regarding SOC 1 SSAE 18 audit requirements include the following:
Go to Part I of the SOC 1 SSAE 18 Audit Requirements white paper.
SOC 1 SSAE 18 audit requirements can best be explained in two distinct ways – first, providing a comprehensive overview of the actual SSAE 18 standard itself – then discussing the actual requirements that must be met for ensuring compliance with Statement on Standards for Attestation Engagements (SSAE) no. 18. With that said, let’s step back and learn about the evolution of SSAE 18, which begins with a discussion on the following subject matter:
Understand the Evolution of SSAE 16 and SSAE 18. The AICPA SSAE 18 attestation standard essentially replaced the aging and antiquated SSAE 16 and SAS 70 auditing that had been in use for approximately 25 years. From April of 1992, to March of 2017, SAS 70 and SSAE 18 were the dominant, global de facto compliance mandates for reporting on controls at service organizations. But twenty-five years with two standards – and one that never really went through any major revisions – is a long time indeed, thus the AICPA began planning for big changes, which ultimately led to the pronouncement of SSAE 18, which became an important component of the AICPA Service Organization Control (SOC) reporting framework.
Learn about the AICPA SOC framework. After years of faithful service, the SAS 70 auditing standard and SSAE 18 was effectively superseded by not only the SSAE 18 attestation standard, but a completely new framework for reporting on controls at service organizations. Known as Service Organization Control (SOC) reports, the SOC framework is a radical departure from the one-size-fits-all approach held by SAS 70 for approximately twenty (20) years. In short, with three reporting options – SOC 1, SOC 2, and SOC 3 – service organizations have more flexibility and more choices regarding third-party assessments of their control environments. While SOC 1 has quickly become the dominant reporting option, SOC 2 and SOC 3 are extremely viable, especially for many of today’s technology companies.
Choosing between SOC 1 SSAE 18 Type 1 or Type 2 Reporting. SOC 1 SSAE 18 reporting offers two options – Type 1 or Type 2 reporting for service organizations. The general trend is for any organization new to third-party reporting of their internal control environment, to begin with a SOC 1 SSAE 18 Type 1 report, followed up by subsequent SOC 1 SSAE 18 Type 2 reporting. Type 1 reporting is merely a “snapshot” in time – a specific day, while SOC 1 SSAE 18 Type 2 reporting covers what’s known as a “test period”, which is generally a minimum of six (6) months, but also can be that of eight, ten, or even twelve months. And because the “test period” provides much more insight and overall assurances of a service organization’s control environment, it’s seen as the much more credible reporting option.
Develop a Description of its “system”. One of the most important components of all the SSAE 18 audit requirements is for management to develop a description of its “system” – specifically - “the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities.” If you’re new to SOC 1 SSAE 18 compliance, then a competent and well-qualified IR CPA firm can assist with this requirement. Writing a thoughtful and comprehensive description of one’s “system” can take considerable time – but remember –it’s an absolute requirement for SOC 1 SSAE 18 Type 1 and Type 2 reporting.
Go to Part II of the SOC 1 SSAE 18 Audit Requirements whitepaper.
Say hello to Statement on Standards for Attestation Engagements (SSAE) no. 18 and goodbye to the historical SAS 70 and SSAE 16 auditing standards. For SOC reports dated on or after May 1, 2017, SSAE 18 now becomes the official standard for issuing SOC 1 Type 1 and SOC 1 Type 2 reports. And though there are similarities with SSAE 16, such as offering Type 1 and Type 2 reporting, the AICPA SSAE 18 standard is now part of a bigger, better, and much improved framework for reporting on controls at service organizations. It's called the Service Organization Control (SOC) framework, and you'll be hearing quite a bit about it.
The AICPA SOC Framework
Type 1 vs. Type 2
SOC 1 (SSAE 16/SSAE 18) Audit reports can be either Type 1 or Type 2, depending on the service organization's needs and requirements. For an ounce of clarity, just remember that a SOC 1 (SSAE 16/SSAE 18) Type 1 audit report is merely a "snapshot" in time, while a SOC 1 (SSAE 16/SSAE 18) Type 2 report covers what's commonly known as a "test period", which is generally seen as six (6) to twelve (12) months in length. For purposes of regulatory compliance – and for sufficing for increased client demands – SOC 1 (SSAE 16/SSAE 18) Type 2 reporting is ultimately what service organizations choose when reporting on their controls. Type 1 reports are a good stepping stone up to the Type 2 reporting process.
According to the now historical SSAE 16 publication (for which you can still reference to regarding important auditing subject matter, even though it has been superseded) put forth by the American Institute of Certified Public Accountants, a control objective is the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively mitigate". More simply stated, a control objective is an attribute that ensures a control or set of controls is operating effectively, and as designed. It's the basis of the entire SOC 1 (SSAE 16/SSAE 18) assessment process, and auditors and service organizations often work together in a collaborative manner in developing these control objectives. Technically speaking, however, the controls objectives and related controls are those of the service organization.
Subservice Organization Reporting
Subservice organizations have become a very important part of SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 audit reports, and for good reason. Learn more about what subservice organizations are, such as the "inclusive" and "carve-out" reporting requirements.
Service Organization Requirements
Management has two very clear requirements for SOC 1 (SSAE 16/SSAE 18) audit reporting (for both Type 1 and Type 2). Provide a written statement of assertion, along with a description of its "system". Both the written assertion by management and the description of its "system" are requirements under SOC 1 (SSAE 16/SSAE 18) when compared to the historical SAS 70 auditing standard.
SOC 1 (SSAE 16/SSAE 18) vs. SOC 2 Debate
NDNB – Providers of Fixed-Fee SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 Audits
As the nation’s leading provider of regulatory compliance services and solutions, NDNB offers competitively priced, fixed-fee SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 audits and assessments. Whatever the industry, size, or location of your organization is, we have scalable, efficient, and high-quality services to meet your needs.