What is SSAE-18 (Statement on Standards for Attestation Engagements No. 18) and how is it used to assess the effectiveness of controls at service organizations?

Answer 1

SSAE-18 (Statement on Standards for Attestation Engagements No. 18) is a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA) to help service organizations demonstrate the effectiveness of their controls over financial reporting, compliance, and security. SSAE-18 replaces the previous standard, SSAE-16.

Service organizations, such as data centers, cloud service providers, and payroll processing companies, often provide services that are critical to the financial reporting of their clients. As a result, these service organizations are often subject to audits by their clients' auditors to ensure that their controls are effective and meet the requirements of their clients' regulatory and compliance obligations.

SSAE-18 provides a framework for these audits, which are conducted by third-party auditors known as Service Organization Control (SOC) auditors. The standard requires service organizations to provide a description of their system and the controls they have implemented to meet their clients' requirements. The auditors then assess the design and operating effectiveness of these controls to provide an opinion on the effectiveness of the controls.

SSAE-18 includes three types of SOC reports:

SOC 1: Reports on the controls over financial reporting. These reports are intended to provide assurance to clients' auditors that the service organization's controls are effective in supporting their clients' financial reporting.

SOC 2: Reports on the controls over security, availability, processing integrity, confidentiality, and privacy. These reports are intended to provide assurance to clients that the service organization's controls are effective in meeting their clients' security and compliance requirements.

SOC 3: A general-use report that provides an overview of the service organization's controls over security, availability, processing integrity, confidentiality, and privacy. SOC 3 reports are designed to be more accessible to a wider audience, such as customers, regulators, and other stakeholders.

By obtaining a SOC report, service organizations can demonstrate to their clients that their controls are effective and meet their clients' requirements. This can help service organizations to win new business, retain existing clients, and provide assurance to their clients' auditors that their controls are effective.