Described as “the standard that recodifies all the previous attestation standards,” SSAE 18 is the latest Statement on Standards for Attestation Engagements set forth by the American Institute of Certified Public Accountants (AICPA). Moving beyond SSAE 16, SSAE 18, Attestation Standards: Clarification and Recodification, focuses on clarifying four main topics: third-party vendor management, data validation, risk assessments, and written representations.
For 18 years, Statement of Auditing Standards (SAS) 70 was the AICPA’s authoritative guidance for reporting on service organizations. As cloud computing grew vital to many business environments, these standards became outdated. Auditors had used this guidance to report on controls that affected the financial statements of the service organization’s clients. However, SAS 70 lacked information for reporting on controls affecting the privacy of client data for cloud-computing providers.
Thus, the AICPA responded with an update known as SSAE 16, which covered more than merely the verification of controls and processes. SSAE 16 also required that the auditor provide a written assertion on the design and operating effectiveness of tested controls. However, SSAE 16 failed to provide necessary clarity, which is where SSAE 18 comes into play.
Third-party vendor management
Third-party vendor management is the most significant change resulting from SSAE 18. The SAS states that a service organization must have processes that monitor the controls at subservice organizations—service organizations that perform functions for other service organizations. The SAS gives suggestions for best achieving this, including creating a third-party vendor management policy that requires a periodic review of the subservice organization. It is no longer adequate to investigate a subservice organization only when first contracting with them; having the subservice organization monitored periodically is important in determining if its controls are still operating effectively.
SSAE 18 has provided control suggestions for the continuous monitoring of the subservice organization, including:
- Reviewing and reconciling output reports.
- Holding periodic discussions with the subservice organization.
- Making regular site visits.
- Testing controls at the subservice organization via members of the service organization’s internal audit function.
- Reviewing Type 1 or Type 2 Service Organization Controls (SOC) reports on each subservice organization’s system.
- Monitoring external communications.
Another update to the previous standards relates to data validation. SSAE 18 requires additional evaluation for service auditors relying on information provided by the service organization. The SAS provides examples of documents that an auditor must include in this additional evaluation, such as population lists used for sample tests, exception reports, lists of data with specific characteristics, transaction reconciliations, system-generated reports, and documentation that provides evidence of the operating effectiveness of controls (such as user access listings).
Under SSAE 16, it was permissible for a service organization to describe reports as “system generated.” This is no longer the case, as the AICPA has made it clear that service organizations should disclose the nature of any report. Alternatively, the new SAS requires that auditors determine if information received by the service organization is “sufficiently reliable” for the purpose of the audit. They must document this, as well as procedures performed to validate the integrity of the system, for that information to be reliable.
SSAE 18 also updates the risk assessment area of SOC reporting. A detailed risk assessment must now be performed by any firm engaged in a SOC audit. Auditors must cultivate a comprehensive understanding and identify and asses the risk of material misstatement, in addition to following procedures that are responsive to those risks. The service organization is now required to give those performing the SOC audit a detailed risk assessment centered around key internal risks, areas that could result in material misstatements, and a list of supporting controls. This will aid the auditors in identifying the risk of material misstatement, as well as help them obtain a complete understanding of the service organization’s controls.
Auditors and service organizations should take advantage of SOC reports, which are essential to gaining a level of comfort with information supplied by those third-party organizations. Without a SOC report, organizations and auditors lack an efficient method for evaluating how the amounts are calculated or what safeguards are in place to preserve the integrity of data.
The fourth main change relates to obtaining a written assertion from the service organization or subservice organization. This written assertion, which is a statement by the responsible party claiming its system description is complete and legitimate, was required under SSAE 16 for most attestation engagements. It is now a requirement under SSAE 18 that all attestation engagements have a written assertion signed by the responsible party.
As stated before, the update from SSAE 16 to SSAE 18 allows the AICPA to clarify guidance that may have been inferred, rather than explicitly stated. The results are that all attestation engagements will now have a higher level of assurance than was brought about under SSAE 16.
These changes will be applicable for all reports that are dated May 1, 2017, or later.
If you have questions about SSAE 18, or would like to request a speaker on this topic for your organization or event, contact one of our executives below, (800) 270-9629.