Key Takeaways
1. SSAE 18 expands on the scope of SSAE 16 by addressing risks associated with financial reporting and data security in greater depth.
2. As an improvement to SSAE 16, SSAE 18 brings new requirements for subservice organizations and vendor management.
3. Transitioning to the new SOC 1 audit under the latest SSAE standards? I.S. Partners can help. With our specialized resources and in-depth understanding of local business nuances, we provide tailored support for risk assessments and documentation.
SSAE 16 vs SSAE 18: Which Should You Choose?
SSAE 16, or Statement on Standards for Attestation Engagements 16, established by the American Institute of Certified Public Accountants (AICPA), provides standards for service organizations to report on their controls and processes. This helps certified public accountants (CPAs) evaluate these organizations’ internal controls and how they protect clients’ data and systems.
Auditors referred to SSAE 16 when clients requested SOC 2 Type 1 or SOC 2 Type 2 reports.
SSAE 18, introduced in 2017, updates and replaces SSAE 16. It offers a revised set of auditing standards for companies to report on their internal controls.
SSAE is a suitable auditing standard that guides auditors, particularly for SOC 1 compliance. SSAE establishes the standards for attestation engagements, including SOC 1 reports. Therefore, SSAE 18 is the set of standards that guide the preparation and issuance of SOC 1 reports.
However, SSAE 18 has largely replaced SSAE 16, making SSAE 18 the preferred choice when comparing the two.
Parameter | SSAE 16 | SSAE 18 |
---|---|---|
Scope | Focuses on reporting controls at service organizations related to financial reporting. | Expands to include risks associated with financial reporting and cybersecurity. |
Complementary User-Entity Controls (CUECs) | Included both necessary and unnecessary controls for achieving control objectives, leading to inefficiencies. | Defines CUECs as only the controls essential to achieving management’s control objectives. |
Requirements Related to Subservice Organizations | Does not specifically address subservice organizations or vendor management. | Adds requirements for subservice organizations and vendor management processes, including Subservice Organization Controls. |
Language Used in the Management Assertion Letter | Focused on reporting controls at service organizations without specific revisions for CUECs and subservice organization controls. | Updates language to better address and integrate CUECs and subservice organization controls, redefining SOC as System and Organization Controls. |
Management Assertion Letter | Required but did not need to be signed, leading to less formal acknowledgment of responsibility. | Requires a signed Management Assertion Letter, adding accountability and a more rigorous approach. |
Risk Assessment | Did not explicitly address the risk assessment process in detail. | Introduces comprehensive requirements for evaluating risks related to controls at user entities and subservice organizations. |
Why Was SSAE 16 Replaced by SSAE 18?
The AICPA updated the attestation standards, shifting from SSAE 16 to SSAE 18, to simplify and align them with international standards. It mainly addresses concerns over their clarity, length, and complexity. While change can be challenging, this update helps unify the attestation process globally.
With the update to SSAE 18, the AICPA seeks to align attestation standards with international practices, making the process much easier to follow.
But what exactly has changed? Did the changes affect the organizations in any way? The differences are discussed in detail below.
Key Differences and Contrasts Between SSAE 16 and SSAE 18
The old SSAE 16 standard, guided by Attestation Standards section 801, focused on reporting controls at service organizations. In contrast, SSAE 18, which replaced SSAE 16 on May 1, 2017, is based on Attestation Standards section 320.
If a business offers services that might affect another company’s financial statements, it can request an audit to meet SSAE 18 standards. SSAE 18 provides clear guidelines for Certified Public Accountants (CPAs) to ensure their financial reporting is accurate and reliable.
Below, we assess the changes that transpired with the SSAE framework update using the following parameters:
- Scope
- Complementary User-Entity Controls
- Requirements Related to Subservice Organizations
- Language Used in the Management Assertion Letter
- Management Assertion Letter
- Risk Assessment
Scope
SSAE 16
SSAE 16 sets proper guidelines for service organizations to evaluate and communicate the effectiveness of their internal controls relevant to their client’s financial reporting. These controls focus on maintaining client data’s confidentiality, availability, and integrity.
SSAE 18
SSAE 18 goes further by helping organizations identify and address risks associated with financial reporting and cybersecurity. This standard encourages businesses to enhance their internal controls over financial reporting to minimize the chances of financial fraud, data breaches, and operational issues.
For companies heavily reliant on third-party service providers, SSAE 18 audits are particularly beneficial.
With the updated SSAE 18 and SOC 1 reports, the focus on necessary controls enhances the clarity and effectiveness of these assessments. See how I.S. Partners can help you achieve SOC 1 for more information.
Complementary User-Entity Controls
SSAE 16
As a subset of SOC, CUECs are also known as client control considerations or user control considerations (UCCs). Complementary user-entity controls (CUECs) are standards within a vendor company that operate at the user-entity level.
They played an important role in several areas:
- Designing, creating, and executing SOC reports
- Establishing and maintaining an effective control environment
- Ensuring efficient user access
- Managing overall risk
However, in the SSAE-16 standard, CUECs included both necessary and unnecessary controls to achieve the control objectives described by management. This broad approach often led to confusion and inefficiency, as companies had to address and evaluate many controls that weren’t essential to achieving their control objectives.
SSAE 18
In SSAE 18, CUECs are defined as only the controls essential to achieving the control objectives described by management. This change improved the framework by defining CUECs as the controls needed to meet management’s control objectives. This clear focus helps organizations concentrate on the most important controls, making internal control assessments more precise.
When determining and creating their CUECs, organizations should review their SOC and SSAE 18 requirements and consider various factors when working with a service provider, such as:
- Risk assessment
- Logical and physical access controls
- Internal audit
- Mitigation strategies
- Change management processes
- Data storage, backup, and restoration
- IT security measures and controls
- Monitoring, logging, and alerts
Requirements Related to Subservice Organizations
SSAE 16
Does not specifically address subservice organizations or vendor management processes.
SSAE 18
SSAE 18 expands on SSAE 16 by adding requirements for subservice organizations and vendor management processes. It also requires the inclusion of Subservice Organization Controls in management’s description, similar to Complementary User-entity Controls.
For example, some vendor monitoring activities include:
- Reviewing and reconciling output reports
- Monitoring external communications, such as customer complaints, that are relevant to the services provided by the subservice company.
- Holding periodic discussions with the subservice organization
- Testing controls at the subservice organization by the service organization’s internal audit department
Language Used in the Management Assertion Letter
SSAE 16
Before SSAE 18, the Management Assertion Letter and Service Auditor’s Report under SSAE 16 focused on reporting controls at service organizations without specific revisions for complementary user-entity and subservice organization controls. The language was geared towards assessing the effectiveness of internal controls at the service organization itself.
Under the older standard, the acronym SOC meant Service Organization Control. This definition focuses on controls related to service organizations and their internal processes.
SSAE 18
SSAE 18 introduced revisions to these documents’ language to address better and integrate complementary user-entity controls and subservice organization controls. This update aimed to provide a more detailed and clear framework for reporting these aspects so that all necessary controls are appropriately described and managed.
Meanwhile, the SSAE 18 Standard redefines the SOC acronym into System and Organization Controls. This updated definition expands the scope to include various types of organizations.
It includes both system-level and entity-level controls, providing a broader framework for assessing and reporting on controls across different organizational contexts.
Management Assertion Letter
SSAE 16
Under the SSAE 16 standard, a Management Assertion Letter was required but did not need to be signed. This letter confirmed that management’s description of controls was accurate and complete, but the lack of a signature meant there was no formal acknowledgment of responsibility from management.
SSAE 18
The SSAE 18 standard requires the Management Assertion Letter to be signed. This signed letter serves as a formal acknowledgment from management, affirming their responsibility for the accuracy and completeness of the control description. This change adds a layer of accountability and ensures a more rigorous approach to attestation.
Risk Assessment
SSAE 16
The SSAE 16 Standard did not explicitly address the risk assessment process in detail. It focused primarily on the controls implemented by the service organization itself and did not include specific requirements for assessing risks associated with controls at user entities or subservice organizations.
SSAE 18
The SSAE 18 Standard introduces more comprehensive requirements for the risk assessment process. It now includes the need to evaluate risks related to controls expected to be implemented at both user entities and subservice organizations.
This change ensures a broader assessment of risks, providing a more thorough understanding of how these external factors might impact the effectiveness of controls and overall risk management.
What Does SSAE 18 Not Cover?
Let’s clear up a few misconceptions about SSAE 18. First off, SSAE 18 is not a certification. This has been true for previous standards like SSAE 16 and SAS 70 as well.
You won’t find an “SSAE 18 certified” badge or designation—any service organization claiming otherwise is misleading their customers and stakeholders.
SSAE 18 is simply the standard audit practitioners use to conduct various attestation reports. It’s not a certification or a guarantee of a specific type of report.
So, if you encounter terminology suggesting otherwise, remember that SSAE 18 is about guiding the auditing process rather than certifying an organization.
Does SSAE 21 Replace SSAE 18?
In 2016, the AICPA rolled out SSAE 18 to replace the earlier SSAE 16, aiming to standardize and improve attestation criteria. Fast forward to 2022, and SSAE 21 took over from SSAE 18. Each new standard builds on the previous one, refining and updating the requirements to better meet current needs and practices.
This basically allows practitioners to measure or evaluate non-financial subject matter against criteria and report their findings directly to users. Unlike SSAE 18, which only permitted assertion-based engagements where the responsible party had to provide an assertion, SSAE 21 does not require the responsible party to measure or evaluate the subject matter or provide a written assertion.
Also, SSAE 21 amends AT-C Section 105, “Concepts Common to All Attestation Engagements,” and introduces a new AT-C Section 206, “Direct Examination Engagements.” These updates help auditors adapt to the evolving security landscape and assess new technologies.
Comply With the NEW SOC 1 Requirements Through I.S. Partners
As of 2022, SSAE 21 has officially taken the stage, and if you still need to update your processes, now’s the time to do so. The shift means that all organizations must now produce their SOC reports under the new SSAE 21 standard.
While your SOC 1 Report will still look familiar, you’ll notice a few new sections and controls designed to enhance the report’s detail and quality.
This change aims to improve the reliability of the report and places greater emphasis on managing and understanding user entities’ internal controls and third-party vendor relationships.
Start with a formal risk assessment to smooth the transition. I.S. Partners, with our specialized resources and expertise, is here to guide you through this process.
We offer comprehensive support to help you assess your risks and document your controls effectively. Our U.S.-based team ensures you benefit from a deep understanding of local business nuances and regulations without outsourcing.
You’ll work with the same dedicated professionals throughout the entire process of SOC reporting.
Curious about how we can assist you?
Schedule a call to explore how we can support your transition to the new SOC 1 audit standard.