(SSAE) 18 Statement on Standards for Attestation Engagement

 

Statement on Standards for Attestation Engagement (SSAE) 18 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA). SSAE 18 became effective on 1st May 2017, replacing SSAE 16 and its predecessor SAS 70.

The Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at service organizations that provide services to user entities, for which a service organization’s controls are likely to be relevant to a user entities internal control over financial reporting. A service organization is any entity providing services (for example, server hosting and colocation providers, software as a service company, payroll processors, etc.) to another organization. The SSAE 18 standard is used to produce System and Organization Controls (SOC) reports.

There are three types of attestation reports:
– SOC 1
– SOC 2
– SOC 3


SOC 1 reports, are designed to provide external parties, such as partners and customers assurance that a company’s internal controls over financial reporting are appropriate and operating effectively. SOC 1 reports are a great way to gain confidence that you’re doing all of the right things. This can help your customers gain trust in you as a service provider.

The report scope should cover the information systems processes that are utilized to deliver the services under review. There are 2 types of SOC1 reports:

SOC1 Type I: This option evaluated and reports on the design of controls put into operation as of a point in time. The Type I report merely provides a description of your company, the internal control environment, references to your policies and procedures, and an opinion on the suitability and design of the controls in place at the point in time the report was issued. It provides very little value to your customers/partners because it does not provide an opinion on whether you’re actually following your own policies and procedures. Type I reports are usually just a stepping stone to the much stronger SOC 1 Type II.

SOC1 Type II: Includes the design and testing of controls to report on the operational effectiveness of controls over a period of time (typically 12 months). It provides clients in highly regulated industries documentable assurances that their confidential customer data is being handled correctly. Hence, SOC 1 Type II is typically much more valuable to external parties.

A SOC2 report is an engagement performed under AT-C section 205 and is based on the existing SysTrust and WebTrust principles. This report will have the same options as the SOC1 report where a service organization can decide to undergo a Type I or Type II certification. Purpose of SOC2 audit is to evaluate an organization’s information systems relevant to:
– Security
– Availability
– Integrity
– Confidentiality
– and/or Privacy

Organizations asked to provide a SOC1, but which do not have an impact on their client’s financial reporting should select this reporting option.

A SOC2 report is an engagement performed under AT-C section 205 and is based on the existing SysTrust and WebTrust principles. SOC3 report does not contain a description of the service auditor’s test of controls and results. They are intended to provide organizations with a publicly available report, and they are commonly published on websites and in marketing materials. There is limited information contained in these reports, allowing companies to illustrate their accomplishments without disclosing sensitive confidential information.
Organizations whose primary goal is the marketing of their system/product against an industry-approved standard should select this reporting option.