September 22, 2017

The SSAE 18 Audit Standard (Updates and Replaces SSAE-16)


SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16, and, obviously the relic of audit reports, SAS 70. The changes made to the standard this time around will require companies to take more control and ownership of their own internal controls around the identification and classification of risk and appropriate management of third party vendor relationships. These changes, while, not overly burdensome, will help close the loop on key areas that industry professionals noted gaps in many service organization’s reports.

SSAE18 is now effective as of May 1, 2017, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their System and Organization Controls (SOC) Report under the SSAE-18 standard in an SOC 1 Report. The SOC 1 report produced will look and feel very similar to the one issued under SSAE-16, it will just contain a couple additional sections and controls to further enhance the content and quality, and thus, the ability for third parties to rely on.

What’s New in SSAE 18?

As mentioned above, there are a couple key changes that Companies currently performing a SOC 1 or 2, or, will be performing one in the near future, need to take into consideration this year and going forward.

  1. Service Organizations will need to implement a formal Third Party Vendor Management Program
  2. Service Organizations will need to implement a formal Annual Risk Assessment process

In addition to the control based changes, your SOC report should also now contain two additional sections describing the risk assessment process, as well as, the Subservice Organizations that play a role in the overall operation of the system and the corresponding controls they impact or have complete ownership of. These two components were typically present in SOC 2 reports previously, but, not formally required. Now, this concept is being formalized and extended to all SOC reports going forward.

Now, for companies that have not previously undergone a SOC 1 audit because their service / operations were not financially significant, SSAE 18 now expands the definition of what is allowed to be reported on to include an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance. This now allows for an official, independent review, of a wide-range of operations under a trusted and consistent set of auditing and reporting guidelines.

Who Needs an SSAE 18 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SOC 1 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

How Does My Company Best Prepare?:

Before starting the SSAE 18 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE18, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 18, for a more detailed ‘checklist’ – please see The SSAE 18 Checklist.