What Is SSAE16 And Why It Was Superseded By SSAE 18?

Why Was SSAE16 Superseded By SSAE 18?

SSAE 16 was superseded by SSAE 18 to address certain limitations and enhance the auditing standard. The main reasons for the transition include:

1. Clarification and alignment

SSAE 16 lacked specific guidance in certain areas, leading to inconsistent interpretations and practices. SSAE 18 aimed to address these gaps by providing more detailed guidance and aligning the standard with international auditing standards. This alignment ensures that audits conducted under SSAE 18 are more globally recognized and comparable.

2. Focus on risk assessment

SSAE 16 did not explicitly emphasize risk assessment. SSAE 18 recognized the importance of risk assessment in evaluating the effectiveness of controls and ensuring a more focused and comprehensive audit. It introduced the concept of risk assessment procedures to identify and address risks that could impact the services provided by the organization being audited.

3. Subservice organizations

SSAE 16 did not provide specific guidance on the assessment of controls at subservice organizations. This limitation hindered the ability to evaluate the entire control environment when organizations relied on sub service providers. SSAE 18 addressed this gap by including specific requirements and guidance for audits involving sub service organizations. It allowed auditors to assess the control environment more comprehensively, including controls at both the service organization and sub service organization levels.

4. Reporting on SOC engagements

Under SSAE 16, the primary report issued was the Service Organization Control (SOC) 1 report. This report focused on the controls relevant to the financial reporting of the service organization. It provided information on the design and operating effectiveness of controls over financial reporting and was intended for use by user entities and their auditors to support their financial statement audits.

However, with the transition to SSAE 18, the reporting landscape expanded to include SOC 2 and SOC 3 reports in addition to SOC 1 reports. The introduction of these additional reporting options allowed organizations to report on a broader range of controls and meet the varying needs of their stakeholders.

5. Other enhancements

SSAE 18 introduced several other enhancements and clarifications compared to SSAE16. It provided additional guidance on selecting control criteria, evaluating control design and operating effectiveness, and performing risk assessments. It also addressed areas such as the use of complementary user entity controls (CUECs), subsurface organization monitoring, and the inclusion of a description of the “system” in the service auditor’s report.

How To Attain Compliance With SSAE18?

To comply with SSAE 18, service organizations should consider the following steps:

• Determine the need for an attestation engagement: Evaluate whether your organization provides services that impact the financial reporting or operational controls of your clients or if clients require assurance in other areas like security, availability, processing integrity, confidentiality, or privacy.
• Identify relevant control objectives: Identify the control objectives that apply to your organization’s services and align with the appropriate framework, such as the Trust Services Criteria for SOC 2 reports or the control objectives for SOC 1 reports.
• Design and implement controls: Develop and implement controls that address the identified control objectives. These controls can mitigate risks and ensure the security, availability, processing integrity, confidentiality, or privacy of the services provided.
• Engage an independent service auditor: Engage a qualified and independent service auditor to conduct an attestation engagement. The auditor will assess and evaluate the effectiveness of your organization’s controls based on the selected framework.
• Prepare for the audit: Provide the necessary documentation and evidence to support the effectiveness of your controls. This may include policies, procedures, evidence of control implementation, and any other relevant documentation.
• Conduct the attestation engagement: The service auditor will perform testing, interviews, and other procedures. They will assess the design and operating effectiveness of the controls. They will issue a report that details their findings and conclusions.
• Communicate the results: Share the attestation report with your clients and other relevant stakeholders who require assurance on your controls. The report provides transparency and assurance regarding the effectiveness of your organization’s controls.