SSAE 16 and SSAE 18 Audits bring tons of questions. In this section we hope to answer some questions we frequently come across during our calls and client interactions.
SSAE-18 will be effective for all reports issued after May 1, 2017.
Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This is now consistent across all sections.
SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report (but issued under the SSAE 16 guidance) and effective as of June 2011. SSAE 18 was then issued May 2017 and will be effective as of December 2018, and apply to all SOC 1 reports issued thereafter.
The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.
As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.
Criteria are the various factors that provide a frame of reference to be evaluated by a practitioner. Without having defined criteria, any conclusion is open to individual interpretation and misunderstanding.
Suitable criteria exhibit all of the following characteristics:
- Relevance. Criteria are relevant to the subject matter.
- Objectivity. Criteria are free from bias.
- Measurability. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
- Completeness. Criteria are complete when subject matter prepared in accordance with them does not omit relevant factors that could reasonably be expected to affect decisions of the intended users made on the basis of that subject matter.
The relative importance of each characteristic to a particular engagement is a matter of professional judgment.