SSAE 18—Elevating Assurance for Attestation

SSAE 18Described as “the standard that recodifies all the previous attestation standards,” SSAE 18 is the latest Statement on Standards for Attestation Engagements set forth by the American Institute of Certified Public Accountants (AICPA).  Moving beyond SSAE 16, SSAE 18, Attestation Standards: Clarification and Recodification, focuses on clarifying four main topics: third-party vendor management, data validation, risk assessments, and written representations.


For 18 years, Statement of Auditing Standards (SAS) 70 was the AICPA’s authoritative guidance for reporting on service organizations.  As cloud computing grew vital to many business environments, these standards became outdated.  Auditors had used this guidance to report on controls that affected the financial statements of the service organization’s clients.  However, SAS 70 lacked information for reporting on controls affecting the privacy of client data for cloud-computing providers.

Thus, the AICPA responded with an update known as SSAE 16, which covered more than merely the verification of controls and processes.  SSAE 16 also required that the auditor provide a written assertion on the design and operating effectiveness of tested controls.  However, SSAE 16 failed to provide necessary clarity, which is where SSAE 18 comes into play.

What’s Changed

Third-party vendor management

Third-party vendor management is the most significant change resulting from SSAE 18.  The SAS states that a service organization must have processes that monitor the controls at subservice organizations—service organizations that perform functions for other service organizations.  The SAS gives suggestions for best achieving this, including creating a third-party vendor management policy that requires a periodic review of the subservice organization.  It is no longer adequate to investigate a subservice organization only when first contracting with them; having the subservice organization monitored periodically is important in determining if its controls are still operating effectively.

SSAE 18 has provided control suggestions for the continuous monitoring of the subservice organization, including:

  • Reviewing and reconciling output reports.
  • Holding periodic discussions with the subservice organization.
  • Making regular site visits.
  • Testing controls at the subservice organization via members of the service organization’s internal audit function.
  • Reviewing Type 1 or Type 2 Service Organization Controls (SOC) reports on each subservice organization’s system.
  • Monitoring external communications.

Data validation

Another update to the previous standards relates to data validation.  SSAE 18 requires additional evaluation for service auditors relying on information provided by the service organization.  The SAS provides examples of documents that an auditor must include in this additional evaluation, such as population lists used for sample tests, exception reports, lists of data with specific characteristics, transaction reconciliations, system-generated reports, and documentation that provides evidence of the operating effectiveness of controls (such as user access listings).

Under SSAE 16, it was permissible for a service organization to describe reports as “system generated.”  This is no longer the case, as the AICPA has made it clear that service organizations should disclose the nature of any report.  Alternatively, the new SAS requires that auditors determine if information received by the service organization is “sufficiently reliable” for the purpose of the audit.  They must document this, as well as procedures performed to validate the integrity of the system, for that information to be reliable.

Risk assessment

SSAE 18 also updates the risk assessment area of SOC reporting.  A detailed risk assessment must now be performed by any firm engaged in a SOC audit.  Auditors must cultivate a comprehensive understanding and identify and asses the risk of material misstatement, in addition to following procedures that are responsive to those risks.  The service organization is now required to give those performing the SOC audit a detailed risk assessment centered around key internal risks, areas that could result in material misstatements, and a list of supporting controls.  This will aid the auditors in identifying the risk of material misstatement, as well as help them obtain a complete understanding of the service organization’s controls.

Auditors and service organizations should take advantage of SOC reports, which are essential to gaining a level of comfort with information supplied by those third-party organizations.  Without a SOC report, organizations and auditors lack an efficient method for evaluating how the amounts are calculated or what safeguards are in place to preserve the integrity of data.

Written representations

The fourth main change relates to obtaining a written assertion from the service organization or subservice organization.  This written assertion, which is a statement by the responsible party claiming its system description is complete and legitimate, was required under SSAE 16 for most attestation engagements.  It is now a requirement under SSAE 18 that all attestation engagements have a written assertion signed by the responsible party.

As stated before, the update from SSAE 16 to SSAE 18 allows the AICPA to clarify guidance that may have been inferred, rather than explicitly stated.  The results are that all attestation engagements will now have a higher level of assurance than was brought about under SSAE 16.

These changes will be applicable for all reports that are dated May 1, 2017, or later.

If you have questions about SSAE 18, or would like to request a speaker on this topic for your organization or event, contact one of our executives below, (800) 270-9629.

Mike Shamblin

Mike Shamblin

Managing Principal of Audit & Assurance Services

Larry Felts

Larry Felts


Related Posts
Are you feeling unease about the impending Tuesday, April 17 tax filing deadline? Fear not –the Internal Revenue Service (IRS) permits a taxpayer to file an extension to allow time...
Read More

The Tax Deadline Looms: Need More Time?

Businesses are increasingly reliant on technology to achieve organizational objectives. However, with the convenience and efficiency of technology come intensifying risks of data loss and theft. High-profile data breaches top...
Read More

Cybersecurity Framework “SOCs” It to Cyber Threats

The ink on the Tax Cuts and Jobs Act (TCJA), which swept in a tidal wave of changes to federal tax rules, had been dry for only seven weeks before...
Read More

New Budget Agreement Brings Additional Tax Changes

The Financial Accounting Standards Board (FASB) has set forth amended guidance aimed at simplifying and reclassifying certain features of financial instruments. Accounting Standards Update (ASU) No. 2017-11 – Earnings Per...
Read More

The Update on Down Round—FASB Reclassifies Earnings Per Share

The new Tax Cuts and Jobs Act is bringing sweeping reform to the United States tax code. While recent tax reform has drawn considerable media attention to domestic corporate tax...
Read More

The Bottom Line: How Will Recent Tax Reform Impact You?

Most Americans are now aware that new tax reform legislation, titled the 2017 Tax Cuts and Jobs Act, was signed into law late last year. There has been significant news...
Read More

Excess Employee Compensation Under the New Tax Reform Law: Will Your Tax-Exempt Organization Be Affected?

PYA is pleased to announce the promotions of Michael Ramey, Matt Stuart, and Jeff Pate to the level of Equity Principal. PYA has announced the promotion of Senior Manager Michael...
Read More

PYA Announces Three New Equity Principals

In today’s business environment, cloud computing arrangements play a key role in the day-to-day operations of companies large and small. The Financial Accounting Standards Board’s (FASB) Accounting Standards Update (ASU)...
Read More

Clearing Up Cloud Computing Accounting

An on-demand webinar, presented by Mike Shamblin, CPA, and brought to you by PYA, helps lay the foundation for the new revenue recognition standard.  The webinar guides healthcare providers of...
Read More

PYA On-Demand Webinar Outlines the New Revenue Recognition Standard in Preparation for Implementation

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

* indicates required
Monthly eNewsletters
See more newsletter and alert options.

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop