Whether your business involves cloud computing, payroll processing or another service, it is vital to handle your clients’ and partners’ information in ways that are safe, accurate and reliable. The standards established by the American Institute of Certified Public Accountants set out the requirements for reports on factors like daily activities to ensure that information and transactions are handled properly. SSAE 18, which replaces and clarifies earlier requirements like SSAE 16, includes a range of attestation reports for full accountability and security.
How Does SSAE 18 Differ from SSAE 16?
SSAE 18 replaced SSAE 16 for any report dates after May 1, 2017. The purpose of the new standard was to clarify and address any concerns that involved the complexity, length and ease of understanding of the AICPA standards as a whole.
One of the key differences is that SSAE 18 combines a number of SSAEs that were not related to SSAE 16, while SSAE 16 specifically addressed SOC 1 reports. Many people used SSAE 16 and SOC 1 interchangeably, often referring to SOC 1 reports as SSAE 16 reports. Since the new standard addresses SOC 1, SOC 2 and other reports, it’s important to clarify which reports you are referring to to avoid confusion.
Additionally, SSAE 18 changes how a service organization deals with what is known as a subservice organization. A service organization continues to be defined as an organization that provides services to another organization. These can include payroll services, colocation, cloud computing and other services. Subservice organizations are the ones that the service organization uses to perform those services. So, if you provide cloud services, you are a service organization; the company whose data centers you use to provide that service is the subservice organization. Under SSAE 18, you must be able to vouch for that organization on an ongoing basis. It is no longer considered sufficient to check out an organization at the time you initially buy their services; instead, they must be audited regularly.
Before You Get Started with SSAE 18
- Determine your scope
- Determine physical office locations to include and the testing period
- Complete an internal assessment
- Address additional areas of concern
Determine Your Scope
The first step is to determine the scope of your engagement for audits and reports. Are there any reporting assessments you’ve done in the past that can help you determine the proper scope? What control objectives are you using to form the basis of your reporting? Which subservice organizations do you work with and how do you intend to include them?
Determine Physical Office Locations and the Testing Period
Finally, look at which physical locations will be included in the scope of your report, as well as the testing period that you plan to use for reporting.
Complete an Internal Assessment
Once you’ve determined the above, it’s time to do an internal assessment. We can help you with your audit to see where you are and what needs to happen to make your company compliant.
Address Additional Areas of Concern
After your internal assessment, take the time to handle any areas of concern. Remediation is a key part of the process; correcting any issues makes you look better on your actual assessments and can provide the protection that is needed for safe business operation.
What’s Required for SSAE 18
Which reports you will make to stay compliant with SSAE 18 standards will depend on your company’s services and the businesses that you contract with to offer them. In most cases, you’ll have at least SOC 1 requirements for your reports.
In these reports, you’ll need to provide at least the following information:
- A description of your system
- A written statement of assertion
A description of your system
This is a general description that will include details such as the services you provide, your policies and procedures, and the personnel and activities that are involved in your core services.
There are no hard and fast rules on documenting your organization’s system; however, you should include as much relevant information as possible.
A written statement of assertion
This statement should come from your management team. The statement is a document that includes clauses and provisions about the services you provide. You must be able to assert that your system was designed and operated in a way that is suitable to achieve your organization’s goals. You’ll also need to expand on the criteria you use for this assertion, as well as any risk factors and controls that are in place to mitigate them. While this wasn’t a necessary part of reports under SAS 70 auditing, it’s been included in both SSAE 16 and SSAE 18 standards.
Getting Help With Your SSAE 18 Report
I.S. Partners is dedicated to making sure that our customers are always compliant with the latest requirements for their industry. Need a helping hand with AICPA standards? Call us at 215-675-1400, request a quote, or launch a live chat to get an estimate today!