SSAE 18—Elevating Assurance for Attestation

SSAE 18Described as “the standard that recodifies all the previous attestation standards,” SSAE 18 is the latest Statement on Standards for Attestation Engagements set forth by the American Institute of Certified Public Accountants (AICPA).  Moving beyond SSAE 16, SSAE 18, Attestation Standards: Clarification and Recodification, focuses on clarifying four main topics: third-party vendor management, data validation, risk assessments, and written representations.


For 18 years, Statement of Auditing Standards (SAS) 70 was the AICPA’s authoritative guidance for reporting on service organizations.  As cloud computing grew vital to many business environments, these standards became outdated.  Auditors had used this guidance to report on controls that affected the financial statements of the service organization’s clients.  However, SAS 70 lacked information for reporting on controls affecting the privacy of client data for cloud-computing providers.

Thus, the AICPA responded with an update known as SSAE 16, which covered more than merely the verification of controls and processes.  SSAE 16 also required that the auditor provide a written assertion on the design and operating effectiveness of tested controls.  However, SSAE 16 failed to provide necessary clarity, which is where SSAE 18 comes into play.

What’s Changed

Third-party vendor management

Third-party vendor management is the most significant change resulting from SSAE 18.  The SAS states that a service organization must have processes that monitor the controls at subservice organizations—service organizations that perform functions for other service organizations.  The SAS gives suggestions for best achieving this, including creating a third-party vendor management policy that requires a periodic review of the subservice organization.  It is no longer adequate to investigate a subservice organization only when first contracting with them; having the subservice organization monitored periodically is important in determining if its controls are still operating effectively.

SSAE 18 has provided control suggestions for the continuous monitoring of the subservice organization, including:

  • Reviewing and reconciling output reports.
  • Holding periodic discussions with the subservice organization.
  • Making regular site visits.
  • Testing controls at the subservice organization via members of the service organization’s internal audit function.
  • Reviewing Type 1 or Type 2 Service Organization Controls (SOC) reports on each subservice organization’s system.
  • Monitoring external communications.

Data validation

Another update to the previous standards relates to data validation.  SSAE 18 requires additional evaluation for service auditors relying on information provided by the service organization.  The SAS provides examples of documents that an auditor must include in this additional evaluation, such as population lists used for sample tests, exception reports, lists of data with specific characteristics, transaction reconciliations, system-generated reports, and documentation that provides evidence of the operating effectiveness of controls (such as user access listings).

Under SSAE 16, it was permissible for a service organization to describe reports as “system generated.”  This is no longer the case, as the AICPA has made it clear that service organizations should disclose the nature of any report.  Alternatively, the new SAS requires that auditors determine if information received by the service organization is “sufficiently reliable” for the purpose of the audit.  They must document this, as well as procedures performed to validate the integrity of the system, for that information to be reliable.

Risk assessment

SSAE 18 also updates the risk assessment area of SOC reporting.  A detailed risk assessment must now be performed by any firm engaged in a SOC audit.  Auditors must cultivate a comprehensive understanding and identify and asses the risk of material misstatement, in addition to following procedures that are responsive to those risks.  The service organization is now required to give those performing the SOC audit a detailed risk assessment centered around key internal risks, areas that could result in material misstatements, and a list of supporting controls.  This will aid the auditors in identifying the risk of material misstatement, as well as help them obtain a complete understanding of the service organization’s controls.

Auditors and service organizations should take advantage of SOC reports, which are essential to gaining a level of comfort with information supplied by those third-party organizations.  Without a SOC report, organizations and auditors lack an efficient method for evaluating how the amounts are calculated or what safeguards are in place to preserve the integrity of data.

Written representations

The fourth main change relates to obtaining a written assertion from the service organization or subservice organization.  This written assertion, which is a statement by the responsible party claiming its system description is complete and legitimate, was required under SSAE 16 for most attestation engagements.  It is now a requirement under SSAE 18 that all attestation engagements have a written assertion signed by the responsible party.

As stated before, the update from SSAE 16 to SSAE 18 allows the AICPA to clarify guidance that may have been inferred, rather than explicitly stated.  The results are that all attestation engagements will now have a higher level of assurance than was brought about under SSAE 16.

These changes will be applicable for all reports that are dated May 1, 2017, or later.

If you have questions about SSAE 18, or would like to request a speaker on this topic for your organization or event, contact one of our executives below, (800) 270-9629.

Mike Shamblin

Mike Shamblin

Managing Principal of Audit & Assurance Services

Larry Felts

Larry Felts


Related Posts
Several PYA employees were acknowledged for their achievements in mid-year promotions.   PYA, a professional services firm, has announced that Matt Neilson is the latest principal to join its executive team.  In addition,...
Read More

PYA Announces Several Mid-Year Promotions

In the nonprofit world, organizations are fueled and sustained by generous contributions and grants, which are used to support the organization’s mission.  Although such funding can often be the deciding...
Read More

“Threading the Needle”—Accounting Standards Update Closes Hole in Nonprofit Grant Guidance

Certain employees of governmental and not-for-profit organizations may qualify for a program that offers student loan forgiveness with zero tax liability.   The Public Service Loan Forgiveness (PSLF) Program gives full-time...
Read More

Tax-Free Student Loan Forgiveness for Eligible Public Servants

PYA, a national professional services firm headquartered in Knoxville, has been awarded a 2018 Top Workplaces honor by the Knoxville News Sentinel. The award is a result of employee feedback...
Read More

Knoxville News Sentinel Names PYA a Winner of the Greater Knoxville Area 2018 Top Workplaces Award

The new Tax Cuts and Jobs Act (TCJA) can be confusing for many-- especially small business owners.  Although many aspects of the TCJA have been discussed, one component of the...
Read More

Government Clamps Down on “Deductible Fun” for Businesses

As businesses consider the impact of the Tax Cuts and Jobs Act (TCJA) introduced late last year, the corporate tax rate is receiving substantial attention.  However, according to a 2014...
Read More

2018 Tax Reform – The Excess Loss Limitation Likely to Squeeze Owners of Cyclical Businesses

A recent Accounting Standards Update (ASU) addresses land easements and their accounting under the new lease standards.  In January 2018, the Financial Accounting Standards Board (FASB) issued ASU 2018-01 Leases:...
Read More

Land Easements—Guidance for Implementing New Lease Accounting Standards

Many Americans have a 401(k) retirement savings plan as a benefit of employment with their employers.  They contribute a percentage of their compensation to their 401(k) each pay period with...
Read More

Taking Distributions from Your 401(k): What You Need to Know

Stakeholders seeking clarity were behind the latest Accounting Standards Update (ASU) issued by the Financial Accounting Standards Board (FASB).  In response to questions raised, the FASB released ASU 2018-03: Technical...
Read More

Measuring Fair Value: New ASU Offers Clarity

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

* indicates required
Monthly eNewsletters
See more newsletter and alert options.

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop