Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.
SSAE-18 will be effective for all reports issued after May 1, 2017.
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.
Suitable criteria exhibit all of the following characteristics:
- Relevance. Criteria are relevant to the subject matter.
- Objectivity. Criteria are free from bias.
- Measurability. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
- Completeness. Criteria are complete when subject matter prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter.
The relative importance of each characteristic to a particular engagement is a matter of professional judgment.