SSAE 18

SSAE 16 Type I Report Background Information

There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take.

While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs.

The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance:

a description of the service organization’s system prepared by management of the service organization.

– Management will need to prepare a description of the control objectives that are in place and being tested at their organization, as it relates to the process that is being reviewed for use by a User Organization. This will read sort of like a narrative of the process and how your control objectives tie in to each other and the process as a whole, giving a User Organization an overview of what and how, at a high level, their data will be handled.

a written assertion by the Service Organization’s management about whether, in all material respects, and based on suitable criteria:

1. the description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.
2. the controls related to the control objectives stated in the description were suitably designed to achieve those control objectives as of the specified date.

– Management will need to prepare a written assertion attesting to the fair presentation and design of controls. Previously under SAS 70, it was the auditors who reported directly on the controls and management was not required to attest to anything. (There will be a separate post describing this in detail as this is a major difference)
The final component:

a service auditor’s report that expresses an opinion on the matters in b1-2.

– The auditors that are hired to perform the testing will need to review the Management’s assessment of the design of controls and attest to the validity of Management’s opinion. The auditors will walk through the control objectives and control activities in place at your company and verify they are, in fact, designed as Management noted. This is where the auditors will obtain a sample of 1 to support each control activity and express the results of their testing.

Specifics of reporting details for a SSAE Type I will be discussed later on!

This information is also consistent with SSAE-18 which is effective as of May 1, 2017.

SSAE 18 (SSAE 16) Preparation Tips

This tip is focused on designing controls that reflect the process being testing, if they don’t, a headache of massive proportions will be created once testing begins.

What do you do to make sure you don’t screw this up? Have as many meetings as it takes to get it right.
What you need to do is sit down with the auditors, the department lead, the main employees responsible for performing the process, and anyone else whom could either play a role in testing or modifying the control in the future. Once that is done, Management should discuss what they determined the control to be and how it should operate, that is then reviewed by the auditors, and then the employees performing the tasks should be reconsulted to verify that the control still reflects their process accurately.

Many times people try to speed this process up and slack on it, leaving many open items which upon testing could easily blow up into a huge problem. When the control isn’t 100% agreed upon prior to testing and a deviation is noted, it’s a tough call between failing the control and the ability to adjust it to accurately reflect the process. The problem is modifying a control after testing has begun is not proper and needs to be avoided at all costs.

Locking the controls locked down early on could save weeks in wrapping up your new SSAE 16 Report.
We have seen issues like this cause delays in issuing of the report to the client and running additional fees, since adjusting controls isn’t free. Coming from the perspective of the auditor, we can let you know the pitfalls, consequences and how to best navigate the audit process. If you have any comments or questions please leave them below!

SSAE 16 Terminology – Criteria

Criteria, as defined by the SSAE 18 (formerly SSAE 16) guidance are:

The standards or benchmarks used to measure and present the subject matter and against which the service auditor evaluates the subject matter.

Criteria are the overarching goals that the control objectives and activities that are in place are designed to meet and that the final report is to give assurance on, for example, “The system is protected against unauthorized access (both physical and logical).” To meet this criteria, a company may decide to include controls such as “Firewalls are installed at all external entry points” or “A User Access Review of Access Badges is performed on a Monthly Basis”. Criteria are used as a benchmark to assess the design and operating effectiveness of internal controls at an organization, however, Management is responsible for making sure that the controls in place support the defined criteria sufficiently.

There are best practice criteria available for most industries that reflect prevailing internal controls best practices and requirements from around the world, some of these can be found on the AICPA website if you would like some additional examples.

This definition and information is consistent in SSAE-18.

Are Service Provider Contract Updates Needed with SSAE 18?

While some companies still request a SAS 70 report (why, who knows…), many contracts now require a SSAE 16 report, and with the change to SSAE 18 many are now asking, what is the right language to use going forward? To fix this, the AICPA is now stating the standard number or reference should no longer to be used, and formally referred to as a SOC 1 report. This will hopefully help to prevent this situation in the future when new updates are inevitably implemented (SSAE 19, 20, …). A minor, but, helpful change.

So – while you do not *have* to update your contracts, it’s typically the best course of action, and now, going forward you shouldn’t have to worry about it again.

Are there any other nagging items like this you are running into? If so, contact us or leave a comment and we will do our best to clarify.