SSAE 18 Updates & Requirements

SSAE 18 Updates & Requirements

You probably imagine SSAE 18 to be a complicated concept. It is quite easy to get lost in the complexity of its naming process due to the lots of numbers and letters. However, when you break down the process, you will realize how significant it is in making the compliance process simpler.

What Does SSAE Mean?

The first step to understanding the SSAE 18 requirements is by comprehending the term SSAE itself. In that case, you ought to know that SSAE is the short form of “Statement on Standards for Attestation Engagements.” It was set up by the AICPA (American Institute of Certified Public Accountants) so that it could translate the auditing specifications for CPAs. 

Many are the time's people assume that “Attest Engagement” is a fancy term for auditing. According to the AICPA, attest engagements refer to when a public practice accountant issues an evaluation, an examination, or an agreed-upon operation report on the subject matter on behalf of another party.

What this means is that an attest engagement is a bit broader than auditing. An attestation standard requires you to look at management activities in which after you should compare these statements to the existing reality. To the contrary, auditing is a type of attestation engagement but in which a third-party reviews whether a client is an adherent to specific rules within a stated framework.

To put this into perspective, you need to have a solid example. For instance, your company can request for attestation to track down if you are protecting customer data adequately. In doing so, you allow a practitioner to carry out investigations to determine whether management controls and set goals match. The attestation is later passed to future clients and customers with the intention of creating confidence in management.

At this point, the audit is precise and confidential. The primary goal of the audit is to confirm that the client is adhering to the internal control regulations for Fed-RAMP, PCI DSS, or ISO 27001. Even though it is possible to intertwine both the SSAE and the audit data, it is good to keep in mind that both have a slight difference in purpose and documentation.

How is an SSAE 18 Used?

So much has changed throughout IT auditing history. Currently, there is a new type of report which guarantees client’s confidence over the firm’s controls. Organizations which use service organization plus user entities must evidence their support towards review as part of their vendor management obligation.

The case is different when compared to past times. To begin with, long ago the SSAE 18, which replaced the SSAE 16, went by the name SAS 70. Also, before one could hire a vendor, the appropriate vendor management made sure to check the vendor controls. For any deal made with a vendor, an SAS 70 had to evidence proper management oversight.

Nonetheless, not so much changed after SAS 70 morphed into SSAE 16, except the specifics. The goals of the report remained intact. But later in 2016, ABS – Auditing Standards Board attestation requirements for SOC reports, particularly SOC 1encountered a recodification.

At the time, an SSAE 16 was only applicable to SOC 1 and service organizations. It was a critical factor that set apart the current SSAE18 from the old version of SSAE 16. The terms limited specific service organizations, but now, with recent advancements, anyone can incorporate attestation engagement. Currently, SOC 1 has regained its previous form, and SSAE 18 requirements are applicable in all attestation examinations.

What are the Key Differences between SSAE 16 and SSAE 18 Requirements?

Regardless of there being only two differences from the previous protocols, significant changes have occurred. Even so, understanding the SSAE 18 is so straightforward that you need to trace the differences from the SSAE 16.

Identify all Subservice Providers

Just as the name suggests, a service organization is a body that provides a service. It covers anything from cloud hosting to PCI DSS services. Often, these service providers also get services from other service providers. Sub-service providers are the name they go by because they supply services to other service providers.

Vendors apply the same policy. An example is a company that uses AWS. AWS might get its physical security from Securitas. It is possible that Securitas also hires out experts for background checks. Note the long chain? That is why it’s your role to understand all these connections so that you map robustness of all controls involved. As you can see, understanding SSAE 18 requirements is not only about identifying the severity of separation, but it also means figuring out the connections so that you can build a whole from the parts.

Understanding Complementary Subservice Organization Controls

The next step after identifying the sub-service providers is determining the controls they use. When you rely on vendors, hiring one is like hiring all. So, if you want to understand a compliance stance, your firm has to be in the know of all the moving parts.

You can only consider yourself to be in SSAE compliance once you test each degree of the separation for security compliance. Keep in mind, that when one fails, the others experience a domino’s effect. That said, an organization should watch and detail the controls of the sub-service firm in its business stream. Remember that when the compliance has robust connections, the higher the compliance of the whole business integrations.

How Does a Company Comply with SSAE 18?

Step one of SSAE 18 SOC1 compliance is getting a risk assessment. SOC 2 usually centralizes on the risk matrix, which is not a rule for SOC 1. Thus, when you integrate these contemporary sub-service providers’ reviews, you allow SSAE 18 to focus on the organization’s complete vendor risk profile. Besides that, SSAE 18 summarizes six ways that could improve compliance.

  1. Organizations ought to check and reconcile output records.
  2. The firm needs to hold periodic meetings with the sub-service organizations.
  3. There ought to be several site visits to the sub-service firm to guarantee their statements.
  4. The company’s internal audit body ought to verify sub-service vendor controls.
  5.  The firm’s management should test the sub-service SOC 1 or SOC 2 reports.
  6. The company needs to track all external communication relating to sub-service vendors.

How Can Automation SSAE 18 Requirements?

Vendor management has become more complex. It becomes necessary to combine all the information in a single location. Keep in mind that the auditors will also want to check the firm’s oversight of the sub-service providers.

With this in mind, it will be vital to have a system of records in place so that you can use them as proof of your compliance. Using automation, it will be simple to not only create the documentation but also to have a safe place to store the information. It will even stand as truth for the oversight required meeting the SSAE 18 specifications.

When you understand the changes made to SSAE 18, it will be simpler to comprehend your organization partner’s as well as their associates. You will also get new ways to organize data since you will have to manage the new responsibilities and documentation required to meet the standards.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.