What You Need To Know About SSAE 18 Reports

It’s no secret that data is incredibly valuable and data centers with subpar internal controls make it easy for cybercriminals to steal sensitive information. For businesses that rely on third parties to handle and store their data as well as client data, it is essential to receive assurances that the organization providing a service has implemented the best controls possible to protect important assets. SSAE 18 reports are the most efficient, reliable way to gain insight into the internal controls and security practices at a service organization. Here’s what you need to know about SSAE 18 reports to protect the integrity of your organization. 


What is SSAE 18? 

The American Institute of Certified Public Accountants (AICPA) created the Statement on Standards for Attestation Engagements (SSAE) as a guideline for CPAs to follow when auditing a company’s financial statements or internal controls. SSAE standards are essential for regulating how service organizations conduct business and how they report on compliance controls. SSAE 18 was designed to expand the parameters and breadth of attestation criteria and it includes a variety of attestation reports, such as SOC 1, SOC 2, and SOC 3. 


Types of SOC Reports

System and Organization Controls (SOC) reports are used to identify an organization’s key internal risks. Many companies rely on third parties to perform services such as payroll and taxation that require access to sensitive data and these reports can shed light on a service organization’s ability to protect their information.

According to the AICPA, there are technically five types of reports, although one of them is still under development. While SOC for Cybersecurity and SOC for Supply Chains are still essential reports, the most commonly issued reports are as follows: 

SOC 1: a control report for service organizations that pertains to internal control over financial reports.

SOC 2: evaluates the internals controls under trust services categories like security, availability, processing integrity, confidentiality, and privacy. 

SOC 3: a publicly available report that assesses the same trust services categories as SOC 2, but in less detail. This is mainly used as a marketing tool. 

Due to the growing reliance on data storage, many industries are now requiring vendors to obtain SOC reports. Some of these industries include financial service companies, information technology, health care, insurance, and government, to name a few. SOC reports demonstrate an organization’s commitment to data security and prove that they have adequate internal controls in place to safeguard confidential information. 


How Does SSAE 18 Differ From SSAE 16?

In 2016, the AICPA’s Auditing Standards Board (ASB) concluded a project which sought to provide clarity to attestation criteria. In an effort to address concerns related to the complexity, length, and comprehension of AICPA standards, they combined a number of SSAEs to create SSAE 18. Unlike SSAE 16, which specifically addressed service organizations corresponded to  SOC 1 reports, SSAE 18 pertains to SOC 1, SOC 2, and other types of attestation reports to provide a full picture of accountability and security. 

Unfortunately, many CPA firms had just gotten used to previous adjustments made to these standards a few years prior. In fact, SSAE 16 reports were only relevant to service organizations and therefore only applicable to SOC 1 reports, so many people used the terms interchangeably. As of May 1, 2017, the SSAE 18 superseded SSAE 16, and firms have had to transition to referring the individual types of SOC reports when referencing SSAE 18. 


How SSAE 18 Benefits Service Organizations 

Service organizations arguably stand to gain the most from SSAE 18 reports, since the auditing process can provide clarity to their internal controls and processes while the actual report makes their organization more marketable to potential clients. Frequently, SSAE 18 engagements identify key areas for improvement that can ultimately help to reduce risk, decrease the frequency of irregularities, and minimize chances of fraud. 

While SSAE 18 engagements are not legally required and companies submit themselves to the auditing process voluntarily, opting to receive a report can set the standard for the industry. Additionally, these reports can be used as marketing tools to differentiate one service organization from its peers by displaying their commitment to the creation and implementation of sound internal safeguards and best practices. 


SSAE 18 for User Entities 

User entities, or the business that is relying upon the work of the service organization, can also benefit from obtaining SSAE 18 reports from potential clients. The service auditor’s report contains a detailed description of the service organization’s controls and an independent assessment of the effectiveness of those controls. This works to provide the user entity with a clear picture of the organization to whom they are entrusting their most valuable and sensitive data. Because SSAE 18 engagements can only be completed by an independent, licensed CPA, user entities can rest assured that the information provided in the report is unbiased and follows the professional standards established by the AICPA. 


Preparing Your Organization for SSAE 18 Compliance 

For service organizations seeking to stay compliant with SSAE 18 standards, the type of audit they undergo will depend largely on the services they provide. Regardless of whether a company receives a SOC 1 report or SOC 2 report, they can prepare for the auditing process by providing the licensed CPA with a description of the system and a written statement of attestation. The description of the system includes information such as the services the organization provides, its policies and procedures, and the personnel who are involved in the core services of the business. As for the written statement of attestation, an organization’s management team should put together a document to assert that the organization’s system was designed and implemented in a way that achieves the goal of the organization. Having these documents ready will help to streamline the auditing process and prevent future roadblocks that could hinder the progress of the report. 


Trust and integrity are crucial to creating and maintaining positive customer relationships. If you want to set your service organization apart from the crowd by setting the standard for security and privacy, our expert team of licensed CPAs at K Financial can give you and your clients peace of mind.