As of May 1, 2017, a new auditing standard for service organizations was implemented for companies to follow. This new standard is called SSAE 18, which took the place of the last statement on standard, SSAE 16, which was in use for the seven previous years. Some people are finally grasping the changes from SAS 70 to SSAE 16, but the new standard is here to stay.
This is could be a major concern for some companies who have finally adopted the system and have developed a routine in their work environment.
Before we go any further with explaining the details between SSAE 16 and SSAE 18, an explanation of what SSAE would be beneficial. SSAE stands for Statement on Standards for Attestation Engagements, which is overseen by The American Institute of Certified Public Accountants (AICPA) and more specifically the Auditing Standards Board (ASB). https://www.youtube.com/embed/lNxVuWZN6eAAccording to the AICPA, “Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.”
In other words, SSAE is used to regulate how companies conduct business, and more specifically it defines how companies report on compliance controls. These reports are called SOC 1, SOC 2, and SOC 3.
SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.
SOC 2 is a report using the existing SysTrust and WebTrust principles. This report evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy.
SOC 3 is also based on SysTrust and WebTrust principles. But the SOC 3 report does not go into as much detail as SOC2 and is primarily used as marketing material.
One of the ways to comply with SSAE 18 is to have a risk assessment through these reports.
The SSAE 18 update brings in a couple significant differences than its predecessor, SSAE 16. Its main purpose is to clarify certain old standards and streamline and simplify the review process. The update to this standard will also demand companies take more control and responsibility of the people they work with, primarily third-party vendors.
The changes do not seem so arduous for organizations to deal with, but the changes seem to be for the better and could help bridge any spaces between these company relationships.
Under the new SSAE 18 guidelines, service organizations will now need to have specific management programs for their third-party vendors. If an organization has third-party vendors, also known as Subservice organizations, the company needs to have clearly described responsibilities for each of these vendors. In addition to this, they need to have recorded performance reviews that contain routine audits and reviews on what they learned from these findings.
Service Organizations also need to have a formal process to gauge annual risk assessment. This new statement of standards also addresses risks and mandates an assessment for them. As a part of each report for third-party vendors, each company needs to include specific plan details on how they deal with risk management. The report for this program also needs to explain and outline the efficiency of this plan.
Another facet that this guideline states is that any third-party vendor working for a company should also uphold the same standards as the company they are working with.
Also under the new statement of standards, the management team will also be required to provide a written statement for further assurance. This document should declare the entire capacity of whom they are working with.
There are many pros to having a statement of standards. One of the first ones as mentioned earlier is simple fact that other companies are more likely to trust you with their business. Other companies tend to look at this standard as a promise to them that you are being forthright in all interactions.
Having an SSAE 18 review performed also keeps the other companies at ease. It doesn’t matter how big or small the other company is, they will always have questions about your business. An added bonus to being audited gives the company a better insight into themselves. And with the help of the AICPA and the ASB, the company will receive expert advice these particular problems.
Having an external group of auditors can help tremendously. An extra pair of eyes can catch aspects of what is working and what is not. These experts have experience with different tips and tricks that can be very beneficial to the company.
Another benefit of having an SSAE review performed is improved performance within the company. Sometimes the mere knowledge of an outside source coming in to check on the company is enough to motivate the employees.
Certification for SSAE is important because many customers are looking for places with a good reputation. A certification gives a company extra credibility for the way they conduct business.
Many businesses are now required to have SSAE 18. Many vendors need to attain SOC reports for SSAE 18. Some of these include nonprofit organizations, government entities, financial service companies, IT, transportation companies, health care providers, construction companies, insurance agencies, manufacturing, real estate, and trucking.
The way a company can get a SOC certification is by having an independent certified public accountant come in and determine that they are conducting their business to their specifications and that they are qualified for certification. Here is an SSAE checklist to ensure compliance:
SSAE 18 certified data centers are reputable. But there are a couple different things a data center needs to do to be SSAE 18 certified. There are many principles that all data centers, colocation, and hosting facilities need to keep in mind when looking to get certified.
The data center needs to take into account security. They need to sustain physical security controls. This could include security guards, biometric scanning, and video cameras.
The next is availability. They need to be ready and able for their customers. The next one is processing integrity. Data centers need to uphold adequate data and power redundancy.
Data centers also need to have a suitable fire and water detection and protection plan. They also need to be able to monitor temperature fluctuations.
Lastly, data centers need to make sure they uphold confidentiality and privacy for their customers.
The main reason for SSAE 18 and all statement on standards, in general, is to give your clients assurance, and the peace of mind that the environment that you have created for their important data is safe and secure. But having an SSAE certification can be beneficial to your company as well.