September 23, 2021

Blog Archives

Are Representation Letters Required in SSAE 18?

Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.

When is SSAE-18 Effective

SSAE-18 will be effective for all reports issued after May 1, 2017.

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

What are considered suitable audit Criteria?

Suitable criteria exhibit all of the following characteristics:

  • Relevance. Criteria are relevant to the subject matter.
  • Objectivity. Criteria are free from bias.
  • Measurability. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
  • Completeness. Criteria are complete when subject matter prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter.

The relative importance of each characteristic to a particular engagement is a matter of professional judgment.