SSAE-18 is on the horizon and there are a few key changes from the current SSAE-16 that will help to clarify and formalize requirements for performing and reporting on the examination, review, and agreed-upon procedures engagements to expand the potential of what an SSAE-16 can report on.
What do I need to know as a Service Organization?
When is SSAE-18 effective?
For reports dated on or after May 1, 2017.
What can SSAE-18 report on?
In addition to processes related to financial statements, now, an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance.
What about Companies with a current SSAE 16?
If you never performed a risk assessment in the past, you have will most likely need to think about implementing one.
- Risk assessments are a common requirement in SOC 2, but, not so much in SOC 1. Now, in SSAE 18 there is an increased focus on the performance of a risk assessment at least annually.
- A risk assessment should have a defined linkage between the potential risks of material misstatement and the controls in place to respond to the assessed risks, and remediation plans to mitigate any identified high-risk issues.
What do I do next?
This shouldn’t bring about any panic for those currently with an audit and a service provider. This should actually open the door for more service offerings and a higher level of assurance all around between Company’s and those they outsource services to.
Click here to contact an SSAE-18 audit provider to learn more about how these changes can help your business.