SSAE 18
This blog describes an overview of the SSAE 18 framework.
This summary was produced based on the following online articles - credit goes to the authors of these postings:
https://legalclarity.org/what-is-a-sas-70-report-and-what-replaced-it/
https://rsmstoneforest.sg/expert-insights/ssae-18-compliant
An SSAE 18 compliant status conferred on a service organisation is a testimony that the service provider has adequate controls and safeguards in place to host and process the data of its clients.%20Compliant/ssae%2018%20compliant.png?width=200&height=183&name=ssae%2018%20compliant.png)
What is SSAE 18?
SSAE (Statement on Standards for Attestation Engagements) 18 is an internationally-recognised service organisation reporting standard issued by the American Institute of Certified Public Accountants (AICPA). The purpose is to align with the International Standard on Assurance Engagements (ISAE) 3402 — a global standard for service organisation controls reporting — issued by the International Auditing and Assurance Board.
Prior to this, businesses that need independent assurance on the controls and processes at third-party service organisations had relied on the Statement on Auditing Standards (SAS) No 70, also issued by the AICPA, since 1993. For example, to ensure that controls are effective at their outsourced service providers, US-listed companies that are required to comply with SOX 2002 Section 404 rely on SAS 70 compliance as the benchmark.
Effective 1 May 2017, SSAE 18 replaced SSAE 16.%20Compliant/aicpa.png?width=200&height=183&name=aicpa.png)
How is the service organisation tested?
An independent licensed accounting firm will evaluate and test the control policies and procedures of a service organisation. Where it has been audited to have met the global standard (SSAE 18), the service organisation will be issued with what is termed as the AICPA Service Organisation Control (SOC) Report, which will then be relied upon by financial auditors of an organisation that outsources work to a service organisation.
A SOC 1 (Type 2) Report, essentially reports on the effectiveness of controls that are likely to be relevant to an audit of an organisation's financial statements.
Benefits
A company that engages an SSAE 18 compliant organisation enjoys:
- Internationally recognised assurance of the service organisation’s ability to protect its data security, integrity and confidentiality
- Convenience where the company needs to comply with the Sarbanes-Oxley Act (SOX) 2002 Section 404 to ensure that its outsourced partners have effective controls over financial reporting ICOFR)
- Cost savings, as the company auditors can now rely on the AICPA SOC reports and no additional audit fee needs to be incurred to audit their outsourced service organisation
The new framework created distinct reporting categories to serve different user needs. SOC 1 reports were designated as the direct successor to the SAS 70 Type II report, maintaining the focus on ICOFR. SOC 2 and SOC 3 reports were developed to address broader assurance needs related to security, privacy, and technology.
As an Example
A payroll processor would require SOC 1, while a cloud storage provider would require SOC 2.
SOC 1,2 and 3 In Detail
SOC 1:
SOC 1 reports were designated as the direct successor to the SAS 70 Type II report, maintaining the focus on ICFR. A SOC 1 report is a restricted-use document designed for the management of the service organization, the user entity, and the user entity’s auditors.
SOC 2: 5 Key Criteria
The five criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Usually you will request all 5 (but can be targeted)
SOC 3:
A related report, the SOC 3, is a general-use report that is a condensed version of a SOC 2 Type 2 report. The SOC 3 contains only the auditor’s opinion and the management assertion. It omits the detailed description of controls and test results, making it suitable for public website posting and marketing purposes.
Type 1 and Type 2 Reports:
The distinction between Type 1 and Type 2 reports applies to both SOC 1 and SOC 2 reports. A Type 1 report focuses solely on the design and implementation of controls as of a specific date. It provides assurance that the controls are suitably designed to meet the control objectives at that single point in time.
A Type 1 report does not offer assurance regarding the operating effectiveness of the controls. User entities should treat it as an initial risk assessment tool. It merely confirms the controls are theoretically in place, as they have not been tested over a period of time.
A Type 2 report provides a higher level of assurance by focusing on the operating effectiveness of the controls over a specified period, typically six to twelve months. The auditor performs detailed testing of the controls throughout this period, not just at a single date. User entities relying on a vendor for mission-critical services or financial reporting controls should always request a Type 2 report.