SSAE 18 OVERVIEW

Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) on May 1, 2017.  SSAE 18 effectively replaces SAS 16 as the authoritative guidance for reporting on service organizations. SSAE 18 was formally issued on May 1, 2017.  SSAE 18 was drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402.  SSAE 18 also establishes a new Attestation Standard called AT 801 which contains guidance for performing the service auditor's examination. Many service organizations that previously had a SAS 70 service auditor’s examination (“SAS 70 audit”) performed converted to the SSAE 16 standards in 2011 and now to the SSAE 18 report instead - also referred to as a Service Organization Controls (SOC) 1 report.

 

SSAE 18 HISTORY AND TIMELINE

While "SAS 70" was a well-known acronym representing an in-depth audit of a third-party service organization, the original Statement on Auditing Standards (SAS) No. 70 was one of many periodic statements issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). These periodic statements generally involve the modification of existing auditing standards or the introduction of new auditing standards. With the passage of the Sarbanes-Oxley Act of 2002, the Public Company Accounting Oversight Board (PCAOB) will also issue auditing standards for public companies (i.e., registrants of the SEC) on a go-forward basis.
 
In May 1, 2017, the AICPA published a new Attestation Standard, SSAE No. 18, to supersede the existing guidance (SAE 16)  for performing an examination of a service organization's controls and processes.

 

 

BENEFITS TO USER ORGANIZATIONS

User organizations that obtain a Service Auditor's Report from their service organization(s) receive valuable information regarding the service organization's controls and the effectiveness of those controls. The user organization receives a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively

 

User organizations should provide a Service Auditor's Report to their auditors. This will greatly assist the user auditor in planning the audit of the user organization's financial statements. Without a Service Auditor's Report, the user organization would likely have to incur additional costs in sending their auditors to the service organization to perform their procedures.

 

BENEFITS TO SERVICE ORGANIZATIONS

Service organizations can receive significant value from having a SSAE 18 examination performed. A Service Auditor's Report with an unqualified opinion that is issued by an Independent Auditing Firm differentiates the service organization from its peers by demonstrating the establishment of control objectives and effectively designed control activities. A Service Auditor's Report can also help a service organization build trust with its user organizations (i.e., customers).
 

Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization's resources. A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.

 

SSAE 18 engagements are generally performed by audit, risk, and control oriented professionals who have experience in accounting, auditing, and information security. A SSAE 18 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party. Very often this process results in the identification of opportunities for improvements in many operational areas.