SSAE 18—Elevating Assurance for Attestation

SSAE 18Described as “the standard that recodifies all the previous attestation standards,” SSAE 18 is the latest Statement on Standards for Attestation Engagements set forth by the American Institute of Certified Public Accountants (AICPA).  Moving beyond SSAE 16, SSAE 18, Attestation Standards: Clarification and Recodification, focuses on clarifying four main topics: third-party vendor management, data validation, risk assessments, and written representations.


For 18 years, Statement of Auditing Standards (SAS) 70 was the AICPA’s authoritative guidance for reporting on service organizations.  As cloud computing grew vital to many business environments, these standards became outdated.  Auditors had used this guidance to report on controls that affected the financial statements of the service organization’s clients.  However, SAS 70 lacked information for reporting on controls affecting the privacy of client data for cloud-computing providers.

Thus, the AICPA responded with an update known as SSAE 16, which covered more than merely the verification of controls and processes.  SSAE 16 also required that the auditor provide a written assertion on the design and operating effectiveness of tested controls.  However, SSAE 16 failed to provide necessary clarity, which is where SSAE 18 comes into play.

What’s Changed

Third-party vendor management

Third-party vendor management is the most significant change resulting from SSAE 18.  The SAS states that a service organization must have processes that monitor the controls at subservice organizations—service organizations that perform functions for other service organizations.  The SAS gives suggestions for best achieving this, including creating a third-party vendor management policy that requires a periodic review of the subservice organization.  It is no longer adequate to investigate a subservice organization only when first contracting with them; having the subservice organization monitored periodically is important in determining if its controls are still operating effectively.

SSAE 18 has provided control suggestions for the continuous monitoring of the subservice organization, including:

  • Reviewing and reconciling output reports.
  • Holding periodic discussions with the subservice organization.
  • Making regular site visits.
  • Testing controls at the subservice organization via members of the service organization’s internal audit function.
  • Reviewing Type 1 or Type 2 Service Organization Controls (SOC) reports on each subservice organization’s system.
  • Monitoring external communications.

Data validation

Another update to the previous standards relates to data validation.  SSAE 18 requires additional evaluation for service auditors relying on information provided by the service organization.  The SAS provides examples of documents that an auditor must include in this additional evaluation, such as population lists used for sample tests, exception reports, lists of data with specific characteristics, transaction reconciliations, system-generated reports, and documentation that provides evidence of the operating effectiveness of controls (such as user access listings).

Under SSAE 16, it was permissible for a service organization to describe reports as “system generated.”  This is no longer the case, as the AICPA has made it clear that service organizations should disclose the nature of any report.  Alternatively, the new SAS requires that auditors determine if information received by the service organization is “sufficiently reliable” for the purpose of the audit.  They must document this, as well as procedures performed to validate the integrity of the system, for that information to be reliable.

Risk assessment

SSAE 18 also updates the risk assessment area of SOC reporting.  A detailed risk assessment must now be performed by any firm engaged in a SOC audit.  Auditors must cultivate a comprehensive understanding and identify and asses the risk of material misstatement, in addition to following procedures that are responsive to those risks.  The service organization is now required to give those performing the SOC audit a detailed risk assessment centered around key internal risks, areas that could result in material misstatements, and a list of supporting controls.  This will aid the auditors in identifying the risk of material misstatement, as well as help them obtain a complete understanding of the service organization’s controls.

Auditors and service organizations should take advantage of SOC reports, which are essential to gaining a level of comfort with information supplied by those third-party organizations.  Without a SOC report, organizations and auditors lack an efficient method for evaluating how the amounts are calculated or what safeguards are in place to preserve the integrity of data.

Written representations

The fourth main change relates to obtaining a written assertion from the service organization or subservice organization.  This written assertion, which is a statement by the responsible party claiming its system description is complete and legitimate, was required under SSAE 16 for most attestation engagements.  It is now a requirement under SSAE 18 that all attestation engagements have a written assertion signed by the responsible party.

As stated before, the update from SSAE 16 to SSAE 18 allows the AICPA to clarify guidance that may have been inferred, rather than explicitly stated.  The results are that all attestation engagements will now have a higher level of assurance than was brought about under SSAE 16.

These changes will be applicable for all reports that are dated May 1, 2017, or later.

If you have questions about SSAE 18, or would like to request a speaker on this topic for your organization or event, contact one of our executives below, (800) 270-9629.

Mike Shamblin

Mike Shamblin

Managing Principal of Audit & Assurance Services

Larry Felts

Larry Felts


Related Posts
PYA is pleased to announce the promotions of Michael Ramey, Matt Stuart, and Jeff Pate to the level of Equity Principal. PYA has announced the promotion of Senior Manager Michael...
Read More

PYA Announces Three New Equity Principals

In today’s business environment, cloud computing arrangements play a key role in the day-to-day operations of companies large and small. The Financial Accounting Standards Board’s (FASB) Accounting Standards Update (ASU)...
Read More

Clearing Up Cloud Computing Accounting

An on-demand webinar, presented by Mike Shamblin, CPA, and brought to you by PYA, helps lay the foundation for the new revenue recognition standard.  The webinar guides healthcare providers of...
Read More

PYA On-Demand Webinar Outlines the New Revenue Recognition Standard in Preparation for Implementation

Qualified conservation easements are becoming an increasingly popular way to save on your tax bill, but what exactly is a conservation easement, and what do you need to know to...
Read More

Conservation Easements: Save the Land, Save Your Money

In the wake of this year’s devastating hurricane season, the President signed into law the “Disaster Tax Relief and Airport and Airway Extension Act of 2017” (the Act). This law...
Read More

Individual Tax Relief for Disaster Areas

Blockchain technology, one of the biggest technology developments in years, has the potential to transform the accounting and audit (A&A) industry. The potential benefits are numerous, but so are the...
Read More

Blockchain Technology—An Audit and Accounting Awakening

The growing popularity of companies like Airbnb and Vacation Rentals By Owner (VRBO), has many Americans considering renting out their homes, or even specific rooms in their homes,  in hopes...
Read More

Tax Rules to Know When Renting Your Home

Securing fidelity bond coverage as part of your retirement plan is a step in the right direction toward safeguarding your business from mishandled funds, mismanagement, and abuse. Further, it is...
Read More

The Importance of Fidelity Bond Coverage in Your Retirement Plan

PYA was ranked highly for female percentage ownership among the 100 largest accounting firms in the U.S. by Inside Public Accounting. PYA, a national management consulting and accounting firm, has...
Read More

PYA One of the Highest Female Percentage Ownership Among Top 100 U.S. Accounting Firms

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

* indicates required
Monthly eNewsletters
See more newsletter and alert options.

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop