What Is SSAE 18, and How Does it Relate to SOC Reports?

SSAE 18 featured

SSAE 18 is a statement that sets standards for reporting on the controls and processes related to financial reporting. It comes from the American Institute of Certified Public Accountants, outlining the framework for reporting on internal controls. The SSAE 18 is designed to provide assurances that the reporting of service organizations is secure, thorough, and on point. For SOC reports, an SSAE 18 statement outlines controls to ensure they’re reliable.

Most organizations have at least heard of SOC reports. Published and administered by the American Institute of Certified Professional Accountants (AICPA), the SOC umbrella of attestations helps organizations demonstrate adherence to best practices around data privacy, cybersecurity, risk assessment and financial reporting. 

Since SOC requirements come directly from the AICPA, the organization releases documents pertaining to guidance for audits and compliance. One of the primary documents for SOC compliance is Statement on Standards for Attestation Engagements no. 18 (SSAE 18). 

What Is the History of SSAE 18?

SSAE 18 represents the continuing evolution of standards for controls around financial reporting in service organizations. The original SSAE was introduced in 1992 as data processing became more prominent. It was designed to let any company using service organizations could be assured of processing integrity.

SSAE 18 took effect in 2017 to reflect the need for managing and reporting internal controls in a way that aligned with international standards.

SSAE 18 comes at the tail end of nearly two decades of developing cybersecurity and financial reporting requirements. The AICPA, working within several industry requirements and government regulations, releases special publications to help SOC auditors and assessed organizations understand just what exactly goes into attestation. 

The history of SSAE 18 can be traced back to the early 1990s:

  • Statement on Auditing Standards 70 (SAS 70): Released in 1992, this document provides essential guidance for auditing financial statements for organizations working with a subservice organization in a way that affects reporting. 
  • COSO Internal Control Integrated Framework: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a group of private sector businesses that have come together to support efforts on combating fraud. While not an AICPA publication, this framework is a critical step in financial reporting that has a massive impact on the industry. 
  • SAS 78: Released in 1995, this document amends SAS 55 to create a general standard for internal reporting control structures that integrates definitions from COSO.
  • International Standard for Assurance Engagements (ISAE) 3402: this document, published in 2009, this standard defines protocols for “assurance engagements” (audits) pertaining to financial reporting controls. 
  • SSAE 16: This document combined knowledge from previous documents and, in 2010, superseded SAS 70 as a framework for auditing financial reporting controls. It is also more closely aligned with the Sarbanes-Oxley Act (SOX) requirements. Finally, the release of this document replaced examination reports dictated in SAS 70 with SOC reports. 
  • Trust Services Criteria: The AICPA released additional criteria for audits, defining the 5 Trust Services Criteria (Security, Confidentiality, Availability, Processing Integrity and Privacy) that align with the COSO control framework. 
  • SSAE 18: Published in 2016 and implemented the next year, this document clarifies overall compliance requirements and unifies previous guidelines under a single standard. 

What Is in SSAE 18?

SSAE 18

As an auditing standard set by the American Institute of Certified Public Accountants, SSAE 18 outlines key expectations in implementing data security, IT controls, risk management, and privacy practices that service organizations should adhere to build trust among their client and stakeholder relationships..

Adhering to the standards in this framework, service companies show their commitment to security, privacy, and integrity in every aspect of their financial reporting and internal operations.

The documentation of the AICPA in regard to SSAE 18 states that it is a codification and clarification of previous SSAE documents. While this seems a bit vague, the core takeaway from these statements is that the AICPA meant SSAE 18 to take the disparate guidelines from various papers and streamline them into a single approach. 

This approach’s heart is the concept of an “attestation engagement.” Such an engagement is similar to an audit. However, this audit isn’t like other, more cookie-cutter regulations. Instead, the attestation requires that an organization report as to their infrastructure–what they’ve implemented, how it works and how they meet SSAE 18 requirements. The assessor then inspects the relevant controls to verify this is the case. 

SSAE 18 focuses specifically on implementing financial reporting controls, including guaranteeing the transparency, accuracy and security of those reports. The primary change from SAS 70 is that SSAE requires more stringent reporting requirements, including adding management assertion statements, evolved system descriptions and expanded requirements for attestations for a given time period. 

The assertion is important to this assessment: it is a document that is guaranteed by organizational management that attests to the state of the system as compliant with SSAE 18. Management must have a “reasonable basis” to support their system assertions. Management must implement formal, documented monitoring processes and conduct annual risk assessments to provide such a basis. 

Furthermore, SSAE 18 also defines relevant approaches to managing third-party reporting controls integrated within your system, including the potential for carve-out or integrated reporting. 

Finally, and simply put, SSAE 18 is essentially a SOC 1 audit report. It defines two different types of SOC 1 attestation reports:

  • Type I: These reports on the design of controls as they are put into operation and a single point in time. 
  • Type II: These reports focus on both the design and testing of controls over a period of time, usually six months.

Streamline SSAE SOC 1 and SOC 2 Attestation with Continuum GRC

SSAE and SOC 1 and SOC 2 are reports (attestations) that show that a service organization is in full compliance with the methods that ensure accurate and ethical practices for security, processing integrity, confidentiality, and other key elements.

Managing the process of attestation can be a heavy lift; Continuum GRC is in the business of handling this complex job to make it simpler and more efficient for your service organization.

SSAE 18 attestation takes accurate, straightforward reporting alongside understanding how best practices, forms, and assessments play a role in your regular business operations. Continuum GRC streamlines SSAE SOC 1 and SOC 2 assessment by removing the need for manual compliance monitoring and stone-age tools, bringing together automation and cloud services to simplify audits. 

Are You Preparing for SSAE 18 Audits?

An SSAE 18 audit can be complicated, with many elements that must be reviewed, tested, and perhaps upgraded. It can be time-consuming, taking employees away from other key projects.

But it doesn’t have to be. Continuum GRC can handle your SSAE 18 audit easily and efficiently. We’re a service auditor designed to evaluate service companies to ensure compliance with standards of risk management audit , data security, and financial statements.

What Is the SSAE 18 Audit Standard?

The SSAE 18 audit determines if a service provider is meeting established standards for internal controls that impact their clients’ financial security and privacy. These standards have been determined by the American Institute of Certified Public Accountants and are designed to match not just national but international standards as well.

Depending on the type of service provider, the SSAE 18 audit reviews elements like risk management, IT security, confidentiality practices, accuracy, and privacy in financial reporting. These are essential for companies that handle things like cloud computing, payroll, and IT services, for example.

The audit reveals areas that can be improved to meet the established standards. Meeting these standards with a thorough SSAE 18 audit demonstrates to outside stakeholders and clients that you’re committed to providing them with the highest levels of professionalism and security. And that’s a huge part of establishing and assuring trust in these important relationships.

Who Needs an SSAE 18 SOC Audit?

Service organizations that are providing outsourced services like payroll, IT, or cloud computing will benefit from an SSAE 18 SOC audit. This process reviews current practices and controls around sensitive operations and reporting methods.  The audit also looks at the organization’s risk assessment process and how it explores and prepares for rapidly evolving threats in its industry.

The resulting assessment is an invaluable tool for spotting critical areas in your internal infrastructure that need shoring up. Once you meet these careful standards, the important relationships you’ve cultivated with clients and stakeholders are reinforced with even greater trust and confidence.

SOC audits done through Continuum GRC help your company achieve this coveted status with less stress. We’re experts in every aspect of the attestation services required for assessment and compliance. Give your organization (and your clients) the benefits and confidence that result from a thorough SSAE SOC audit.

Call Continuum GRC at 1-888-896-6207 or complete the form below.

Download our company brochure.

No image Blank

Continuum GRC

Website: