SSAE No. 18
Statement on Standards for Attestation Engagements no. 18 (SSAE No. 18 or SSAE 18) is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality (accuracy, completeness, fairness) of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination,[1] review,[2] and agreed-upon procedures.[3] It also prescribes two types of reports for reporting on an examination of controls at a service organization relevant to user entities' internal control over financial reporting: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls.[4] Published April 2016,[5] SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.[6]
History and influences
Precedents and initial release
SAS 70: In April 1992, the AICPA published Reports on the processing of transactions by service organizations; Statement on auditing standards, 070, which provides guidance when auditing the financial statements of an entity that uses a service organization to process transactions that affect financial reporting.[7]
COSO Internal control: integrated framework: In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a report titled Internal control: integrated framework, which provided a definition of internal control and a framework for evaluating and improving internal control over systems.[8]
SAS 78: In December 1995, the AICPA published Consideration of internal control structure in a financial statement audit : an amendment to SAS no. 55; Statement on Auditing Standards, 078, which superseded SAS 55, to reflect the definition of internal control provided in COSO Internal Control-Integrated Framework.[9]
SOX: In early 2002, the United States issued the Sarbanes-Oxley Act, which established requirements for publicly listed companies to issue an internal control statement along with their financial statements. It requires the internal controls statement to be based on a structured and substantiated system of internal control. It also established a requirement for financial auditors to examine and report on the internal control statement provided by management.[10]
ISAE 3402: In December 2009, the International Auditing and Assurance Standards Board (IAASB) published a new International Standard for Assurance Engagements, ISAE 3402, titled Assurance Reports on Controls at a Service Organization,[11][10] also known as Internal Control Framework over Financial Reporting (ICFR). It focuses on "assurance engagements when reporting on controls at a service organization that are likely to impact or be a part of the user organization's system of internal control over financial reporting". It specifies ISAE 3000 as being applicable. ISAE 3402 was adopted by the International Federation of Accountants (IFAC).[12]
SSAE 16: In April 2010, the AICPA published Statement on Standards for Attestation Engagements no. 16 (SSAE 16), titled Reporting on Controls at a Service Organization, which superseded SAS 70 and was included in Professional Standards as section AT 801[13] The changes in this update brought the standard closer to the reporting structure required by the Sarbanes Oxley Act and the standards supported by the International Federation of Accountants (IFAC).[14]
SOC: in 2011, in conjunction with the release of SSAE 16, the AICPA replaced the service auditor’s examination report prescribed by SAS 70 with the System and Organization Controls (SOC) suite of reports.[10][15][16]
Trust Services Criteria: In 2014, the AICPA Assurance Services Executive Committee (ASEC) published new guidance, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, referred to simply as control criteria, for use in attestation engagements for reporting on the suitability of the design and operating effectiveness of controls over information systems. The new control criteria was aligned with the 17 principles of COSO Internal Control—Integrated Framework. It included criteria to supplement COSO principle 12 by addressing controls for logical and physical access, system operations, change management, and risk mitigation.[17]
SSAE 18: In April 2016, the AICPA published Statement on Standards for Attestation Engagements 18; Attestation Standards: Clarification and Recodification in response to "concerns over the clarity, length, and complexity of its standards",[5] with most sections becoming effective on May 1, 2017.[18] SSAE No. 18 supersedes and integrates most prior SSAE releases into a single clarified standard.[6]
Clarification and recodification
SSAE No. 18 clarified and revised all prior SSAEs except for SSAE No. 10 chapter 7, which was placed in AT-C section 395 in unclarified form, and SSAE No. 15, which was replaced by Statement on Auditing Standards No. 130 and moved to AU-C section 940. The AT section numbers for the superseded SSAEs were recodified in the Professional Standards as section "AT-C" to avoid confusion with the older standards codified as section "AT".[6]
Complementary subservice organization controls
SSAE No. 18 requires the consideration of Complementary Subservice Organization Controls, which are the controls for portions of the service organization’s systems that are outsourced to other service organizations.[19]
Recent developments
There have been some notable developments in information assurance audit standards since the initial release of SSAE no. 18 that affect reporting under this standard.
Cybersecurity Risk Management Reporting Framework: In 2017 the AICPA Assurance Services Executive Committee’s (ASEC) published new and revised materials that together form a cybersecurity risk management reporting framework. The framework is intended to assist organizations in their description of cybersecurity risk management activities. It is also intended to assist CPAs in performing examination engagements, known as SOC for Cybersecurity examination. The three resources that form the framework are:[20][21][22]
- Description Criteria, titled Criteria for describing a set of data and evaluating its integrity, introduced in 2017, is intended for use by management when describing its cybersecurity risk management program and for use by CPAs to report on management’s description.[23]
- Control criteria, titled Trust Services Criteria for Security, Availability, and Confidentiality, revised in 2017, is intended for CPAs providing advisory or attestation services to evaluate and report on the effectiveness of controls.[17]
- Attestation guide, titled Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, introduced in 2017, is intended to assist CPAs with reporting on system and organization controls for cybersecurity risk management.
Trust Services Criteria (TSC): In 2017, as part of the Cybersecurity Risk Management Reporting Framework, the AICPA Assurance Services Executive Committee (ASEC) released updates to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, referred to as control criteria by the ‘’Cybersecurity Risk Management Reporting Framework’’. SOC 2 or SOC 3 reports with an examination period ending on or after 15 December 2018 must comply with the revised control criteria.[17][24][25]
SOC: As of 2018, the AICPA continues to update and expand its System and Organization Controls (SOC) reporting guidance. This includes new material such as SOC for Service Organizations[26] and SOC for Cybersecurity Reporting Framework.[27]
Sections and organization
The sections of SSAE no. 18 are represented under section AT-C of the AICPA Professional Standards. The outline of the sections is as follows:[5]
- SSAE 18 Preface
- SSAE 18 Common Concepts
- SSAE 18 -> AT-C §105 Concepts Common to All Attestation Engagements
- SSAE 18 Level of Service
- SSAE 18 -> AT-C §205 Examination Engagements
- SSAE 18 -> AT-C §210 Review Engagements
- SSAE 18 -> AT-C §215 Agreed-Upon Procedures Engagements
- SSAE 18 Subject Matter
- SSAE 18 -> AT-C §305 Prospective Financial Information
- SSAE 18 -> AT-C §310 Reporting on Pro Forma Financial Information
- SSAE 18 -> AT-C §315 Compliance Attestation
- SSAE 18 -> AT-C §320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting
- SSAE 18 -> AT-C §395 Designated for AT Section 701, Management's Discussion and Analysis
§105 Concepts Common to All Attestation Engagements
AT-C section 105, effective May 1, 2017, defines requirements for all types of attestation engagements. It describes an attestation engagement as being one of three service levels, which are defined in sections 205, 210, and 215. It also identifies the three overall objectives of an attestation engagement[18][5]
§205 Examination Engagements
AT-C section 205, effective May 1, 2017, principally defines the requirements and contents of an examination engagement, one of the three service level of an attestation engagement.[1][5]
§210 Review Engagements
AT-C section 210, effective May 1, 2017, principally defines the requirements and contents of a review engagement, one of the three service level of an attestation engagement.[2][5]
§215 Agreed-Upon Procedures Engagements
AT-C section 215, effective May 1, 2017, principally defines the requirements and contents of an agreed-upon procedures engagement, one of the three service level of an attestation engagement.[3][5]
§305 Prospective Financial Information
AT-C section 305, effective May 1, 2017, sourced from SSAE No. 18, contains requirements and guidance for examining or performing agreed-upon procedures on prospective financial information.[28][5]
§310 Reporting on Pro Forma Financial Information
AT-C section 310, effective May 1, 2017, sourced from SSAE No. 18, contains requirements and guidance for examining or reviewing pro forma financial information.[29][5]
§315 Compliance Attestation
AT-C section 315, effective May 1, 2017, sourced from SSAE No. 18, contains requirements and guidance for performing the following types of engagements:
§320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting
AT-C section 320, sourced from SSAE No. 18, effective on May 1, 2017, contains requirements and guidance for examining controls at service organizations that provide services to user entities where those controls are relevant to the user entities’ internal control over financial reporting. It may also be applied to reporting on internal controls other than financial reporting.[4][5]
§395 Designated for AT Section 701, Management's Discussion and Analysis
AT-C section 395, sourced from SSAE no. 18, effective on June 1, 2001, contains requirements and guidance for attestation engagements regarding management's discussion and analysis (MD&A), such as those presented in annual reports to shareholders.[31]
Definitions
Roles and responsibilities
SSAE 18 identifies two primary roles during the formation of an attestation engagement:[18]
- Practitioner, a person who practices public accounting, who performs the engagement; and
- Engaging party, the entity that engages the practitioner to perform an attestation.
SSAE 18 refers to two roles that are the main actors during an attestation engagement:[18]
- The practitioner, also referred to in section 320 as the service auditor, the person performing the attestation engagement; and
- The responsible party, also referred to as management or service organization or service provider, which is the party responsible for providing the statements, descriptions and/or assertions that are the subject matter of the attestation engagement.
SSAE 18 identifies two subordinate roles that may be engaged by the practitioner:[18]
- Other practitioner, who provides information that will be used as evidence by the practitioner; and
- Practitioner’s specialist, who "possesses expertise in a field other than accounting or attestation", who assists in gathering evidence.
SSAE 18 also identifies other relevant roles not directly engaged in the audit:[18]
- AICPA, which publishes the audit standards and code of ethics that the responsible or engaged parties are expected to follow;
- Subservice organization, A service organization used by a service organization that is the responsible party; and
- Users, which may refer to the intended users of the practitioner's report, also referred to as the Specified party, or the users of the services provided by the Service Provider.
Service levels
Sections 205, 210, and 215 are intended to define the three service levels for any attestation engagement, though other applicable sections may specify additional requirements for the engagement:
- For an examination engagement, the objectives of the practitioner are:[1]
- to obtain assurance that the subject matter is free from material misstatement, and
- to express an opinion on whether the subject matter meets the specified criteria or the responsible party's assertion and is fairly stated.
- For a review engagement, the objectives of the practitioner are:[2]
- to obtain limited assurance that the subject matter meets the specified criteria or the responsible party's assertion, and
- express a conclusion on whether any modifications should be made to meet the specified criteria or assertion and be fairly stated.
- For an agreed-upon procedures engagement, the objective of the practitioner is:[3]
- to issue a report of findings based on specified agreed-upon procedures which are applied to subject matter, where the specified parties determine the procedures used.
Sections 205, 210, and 215 also prescribe or prohibit certain attestation engagement service levels depending on the subject matter.
Report types
SSAE 18 section 320, titled "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting", defines two types of report formats, type 1 and type 2, that vary in their content, which further differentiates the level of service to be performed in an attestation engagement for this subject matter:[4][32]
- Type 1, which includes an assessment of the design of identified controls, and
- Type 2, which also includes an assessment of the operating effectiveness of identified controls.
Subject matter
SSAE 18 states that it may be applicable to any subject matter, though the nature of the subject matter is a key factor in determining which sections of the standard are applicable and which attestation engagement service level the practitioner may perform. All attestation engagements are predicated on the concept that the practitioner reports an opinion about a statement, description, or assertion made by the responsible party about a subject matter.
- Prospective financial information, including financial forecasts and projections, is the focus of AT-C section 305.[28]
- Pro forma financial information is the focus of AT-C section 310.[29]
- Compliance or an assertion of compliance regarding laws, regulations, rules, contracts, or grants, is the focus of AT-C section 315.[30]
- Management's description of the service organization's system, including control objectives, controls, and descriptions of fraud or non-compliance, which are likely to be relevant to the user entities’ internal control over financial reporting, is the focus of section 320.[4]
- Management's discussion and analysis (MD&A), which are presented in annual reports to shareholders, is the focus of section 395.[31]
References
- "AT-C Section 205 Examination Engagements" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 17 February 2020.
- "AT-C Section 210 Review Engagements" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 17 February 2020.
- "AT-C Section 215 Agreed-Upon Procedures Engagements" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 17 February 2020.
- "AT-C Section 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 14 February 2020.
- "Statement on Standards for Attestation Engagements 18 Attestation Standards: Clarification and Recodification" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). April 2016. Retrieved 14 February 2020.
- "Clarified Statements on Standards for Attestation Engagements". aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 14 February 2020.
- "Reports on the processing of transactions by service organizations; Statement on auditing standards, 070". olemiss.edu. American Institute of Certified Public Accountants (AICPA). Retrieved 15 February 2020.
- "Internal Control - Integrated Framework". coso.org. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Archived from the original on 2009-02-28. Retrieved 15 February 2020.
- "Consideration of internal control structure in a financial statement audit: an amendment to SAS no. 55; Statement on Auditing Standards, 078". olemiss.edu. American Institute of Certified Public Accountants (AICPA). Retrieved 15 February 2020.
- van Gils, H.G.TH.; J.J., van Beek (April 2017). "The New US Assurance Standard SSAE 18: A practical update of the international ISAE 3402?". Compact. 2017 (4). Retrieved 15 February 2020.
- Seshadri, Deepa (1 March 2013). "Common Myths of Service Organization Controls (SOC) Reports". isaca.org. ISACA. Retrieved 17 February 2020.
- "International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization" (PDF). ifac.org. International Federation of Accountants (IFAC). Retrieved 15 February 2020.
- "AT Section 801 Reporting on Controls at a Service Organization" (PDF). aicpa.org. American Institute of Certified Professional Accountants (AICPA). Retrieved 17 February 2020.
- Wood, Brian (9 June 2014). "SAS 70 vs. SSAE 16: What's the Difference?". nfinit.com. NFINIT (formerly AIS Technology Services). Retrieved 17 February 2020.
- "System and Organization Controls (SOC): SOC Suite of Services". aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 15 February 2020.
- "SSAE 16 overview". ssae16.com. SSAE16.com. Retrieved 15 February 2020.
- "Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy" (PDF). aicpa.org. AICPA Assurance Services Executive Committee (ASEC). 2017. Retrieved 17 February 2020.
- "AT-C Section 105 Concepts Common to All Attestation Engagements" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 14 February 2020.
- Arnold, Mark (21 Feb 2019). "The Importance of SSAE 18, SOC 1 and 2". navisite.com. Navisite. Retrieved 15 Feb 2020.
- "Cybersecurity risk management reporting fact sheet" (PDF). aicpa.org. AICPA. Retrieved 17 February 2020.
- "AICPA Unveils Cybersecurity Risk Management Reporting Framework". aicpa.org. AICPA. 26 April 2017. Retrieved 17 Feb 2020.
- Tysiac, Ken (26 April 2017). "A new cybersecurity risk management reporting framework for management and CPAs". journalofaccountancy.com. Journal of Accountancy. Retrieved 18 February 2020.
- "Criteria for describing a set of data and evaluating its integrity" (PDF). aicpa.org. AICPA. 1 January 2020. Retrieved 18 Feb 2020.
- Bell, Dennis (5 November 2018). "New SOC 2, SOC 3 Trust Services Criteria, Is your service organization ready?". grantthornton.com. Grant Thornton LLP. Retrieved 17 February 2020.
- Prasad, Varun (26 March 2019). "The Next Challenge in IT Compliance Reporting: SOC2 2017 Trust Services Criteria". isaca.org. ISACA. Retrieved 17 Feb 2019.
- "SOC for Service Organizations". aicpa.org. AICPA. Retrieved 17 February 2020.
- "SOC for Cybersecurity Compliance, A Comprehensive Risk Management Examination". barradvisory.com/. BARR Advisory, P.A. Retrieved 18 February 2020.
- "AT-C Section 305 Prospective Financial Information" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 17 February 2020.
- "AT-C Section 310 Reporting on Pro Forma Financial Information" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 17 February 2020.
- "AT-C Section 315 Compliance Attestation" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 17 February 2020.
- "AT-C Section 395 Designated for AT Section 701, Management's Discussion and Analysis" (PDF). aicpa.org. American Institute of Certified Public Accountants (AICPA). Retrieved 14 February 2020.
- "SOC 2 Compliance". imperva.com. Imperva. Retrieved 25 February 2020.
External links
- AICPA Statement on Standards for Attestation Engagements 18, Attestation Standards: Clarification and Recodification full complete text
- AICPA Professional Standards, AT-C sec. 105 Concepts Common to All Attestation Engagements
- AICPA Professional Standards, AT-C sec. 205 Examination Engagements
- AICPA Professional Standards, AT-C sec. 210 Review Engagements
- AICPA Professional Standards, AT-C sec. 215 Agreed-Upon Procedures Engagements
- AICPA Professional Standards, AT-C sec. 305 Prospective Financial Information
- AICPA Professional Standards, AT-C sec. 310 Reporting on Pro Forma Financial Information
- AICPA Professional Standards, AT-C sec. 315 Compliance Attestation
- AICPA Professional Standards, AT-C sec. 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting
- AICPA Professional Standards, AT-C sec. 395 Designated for AT Section 701, Management's Discussion and Analysis
- AICPA System and Organization Controls: SOC Suite of Services Home page