Frequently Asked Questions About SAS 70 Versus SSAE 18 and SSAE 16

The acronym "SSAE" stands for Statement on Standards for Attestation Engagements, and was developed by the American Institute of Certified Public Accountants (AICPA). CPA firms must follow the rules set forth by the AICPA when conducting an audit of a company’s financial statements or attestation of a company’s internal controls.

SSAE 18, Service Organizations (often referred to as SSAE 18 or SOC; and previously known as SSAE 16 or SAS 70) contains the rules for conducting an attestation of a service organization’s internal controls and issuing a System and Organization Controls’ (SOC) report. Service auditors are required to follow these rules when conducting a SSAE 18 engagement.

The primary objective of the SOC report (auditor’s opinion) is to provide the reader with information about the internal controls and security practices at a service organization. The role of the CPA firm (service auditor) is to perform tests in order to provide independent assurance about the accuracy and adequacy of that description of controls.

There are two types of SOC reports:

SOC1: Report on controls over financial report

SOC2: Report on controls over the security, availability, confidentiality, processing integrity, and/or privacy

In an effort to move toward international accounting standards, the AICPA issued Statement of Standards for Attestation Engagements 16 (SSAE 16) in April 2010. It replaced SAS 70 and was designed to closely mirror International Standard on Assurance Engagements 3402 (ISAE 3402).

It is intended to provide user organizations and their auditors improved assurance about the reliability of controls throughout the reporting period. The new reporting was required for all service organization control reports with periods ending after June 15, 2011.

In an effort to standardize attestation criteria, the AICPA issued Statement for Attestation Engagement Standards for Attestation Engagements (SSAE 18) in April 2016. It replaced SSAE 10 through 17 and required service auditors to enhance their risk assessment procedures around the reported subject matter. The new standard was required for all SOC reports issued after May 1, 2017.

The key distinction between the SOC reports is the subject matter that the reports are used to provide clients assurance on. A SOC 1 report is related to internal controls that impact financial reporting or internal controls of the clients of the service organization. A SOC 2 is related to internal controls that impact system security availability, processing integrity, confidentiality, or the privacy of customer data. Each of these reports are further divided by the level of testing, and therefore, the level of assurance the SOC report provides.

In a Type I report, the auditor’s opinion states that the description is reasonably accurate, the controls described are suitably designed to achieve specified control objectives, and the controls have been implemented as of a specified date. This opinion is therefore a “point-in-time” opinion.

The Type II report offers more assurance because, in addition to stating that the description is reasonably accurate, the controls described are suitably designed to achieve specified control objectives, and the controls have been implemented. The auditor’s opinion also states that the controls described operated effectively over a specified period of time. The time period is typically six months to a year. Obviously, the marketplace greatly prefers the increased level of assurance offered in a Type II report.

A system and organization control (SOC) cybersecurity report can provide assurance that your cybersecurity program is adequately designed and operating effectively based on guidance from the American Institute of Certified Public Accountants (AICPA). The report may be required by the Securities and Exchange Commission (SEC) for publicly traded companies. Privately held companies and nonprofit organizations may use the assessment and report to strengthen or expand your cybersecurity position and satisfy the demands of management, customers, shareholders, and other constituents.

Service organizations are otherwise known as outsourced data centers. They are organizations hired by another entity to process transactions and data, which are usually confidential. Service organizations are part of the users’ internal control. Examples include companies that perform services in the following areas:

• Accounting
• Benefits
• Billing
• Clearing house
• Collection
• Finance
• Insurance
• Investment
• Information technology (IT)
• Market research
• Payroll

The AICPA established SAS 70 (later SSAE 16 and now SSAE 18) in response to a huge market shift toward outsourcing data processing. This shift put a significant portion of a company’s internal controls into the hands of the service organization they hired to process their transactions. Service organizations found themselves responding to multiple audit requests from their clients and their respective auditors, which strained their resources.

SAS 70 eliminated the request for nonstop audits because one audit firm can now audit the internal controls. The auditors for the service organization’s customers (the user organization) can rely on one audit. The AICPA continued to build and strengthen the reporting on internal controls of service organizations by issuing updated standards in SSAE 16 to include the division of reporting between financial report concerns (SOC1), and data security and integrity concerns (SOC2).

After several public companies were charged with fraud and negligence, the Sarbanes-Oxley Act of 2002 (SOX) was implemented. Section 404 of SOX requires independent auditors to assess and express an opinion on the effectiveness of its clients’ internal controls over financial reporting, including service organization controls. Internal controls are the safeguards companies apply to ensure that financial reporting is reasonably accurate and free of significant misstatements, errors, and fraud. They include business process controls and IT security practices.

Many public companies outsource functions of their business to third parties (service organizations). Frequently those functions constitute a key element of the financial reporting process. Therefore, the service organization must be included in the SOX 404 assessment and the SOC report provides a mechanism to report on the operating effectiveness of those controls.

Any organization (large or small, for-profit or nonprofit) that has used a service organization to process financial transactions or handle sensitive data could benefit from obtaining a SOC report from their service auditor. If applied correctly, the report shows evidence of financial reporting controls and the safeguarding of confidential information.

Many industries are now requiring vendors to obtain SOC reports, including financial service companies, information technology, construction and real estate, dealership, health care, insurance, nonprofit, government, manufacturing and distribution, and trucking and transportation.

Not only has SOX affected the banking and health care industries, but lately these industries have received a lot of negative attention for being targets of cyber thieves who use their confidential data for fraud and identity theft. Naturally, the regulatory environment is becoming stricter. Those with fiduciary responsibilities must take their roles very seriously and establish the policies necessary to mitigate risks.

Alarmed by the growing number of data and identity thefts, banking and health care regulators are focusing on vendor management. Financial institutions and health care providers are required to know more about the security and privacy practices of the companies they are outsourcing business functions to (service organizations).

Many regulations have been implemented to address the threats to banking and health care data and information system vulnerabilities. And the government is following up to make sure organizations are in compliance. For example, the Federal Financial Institutions Examination Council (FFIEC) issued the Cybersecurity Assessment Framework and industry regulators will be assessing the controls for financial institutions along with their vendors.

Service organizations receive significant value from the performance of a SSAE 18 engagement. It provides assurance for SOX, bank regulators, HIPAA, user organizations, and more.

Often the SSAE 18 engagements identify opportunities for improvements in operational areas. SSAE 18 can dramatically improve your internal control — resulting in minimized risk of error, irregularities, and fraud.

A SSAE 18 engagement with an unqualified opinion can be used as a marketing tool to show potential customers your commitment to the development of sound internal safeguards and business practices. SSAE 18 can differentiate you from your peers.

Without a service auditor’s report, service organizations may have to respond to multiple audit requests from their clients and their respective auditors, which will strain resources. A SOC report will ensure that all user organizations and their auditors have access to the same information and in many cases will satisfy the user auditor’s requirements.

User organizations that obtain a service auditor’s report receive a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively (in the case of a Type II report). User auditors will use this information when obtaining a sufficient understanding of controls to assess the risk of material misstatement of the financial statements or understanding of controls to security and protect the organizations data.

User organizations should provide a SOC report to their auditors. This will help plan the audit of the user organization's financial statements or data handling practices. Without this report, the user organization would likely incur additional costs sending their auditors to the service organization to perform their required procedures.

Only an independent, licensed CPA firm can conduct SSAE 18 attestation services, and when doing so they are required to follow the professional standards developed by the AICPA.

Final reports must be reviewed and issued by a licensed CPA; however, public accounting firms are permitted to utilize the skills of non-CPA professionals as part of the SSAE 18 engagement team. Typically, non-CPA professionals are relied upon for their specialized information security certifications.

Any CPA firm can offer SSAE 18 attestation services; however, service organizations should seek out firms with SSAE 18 experience and the staff to provide the services. Look for personnel with a combination of accounting, auditing, and information security credentials including Microsoft Certified Professional (MCP), Citrix Certified Administrator (CCA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and CPA.

Service organizations that have never had a SSAE 18 usually start off with a pre-assessment consulting engagement. The pre-assessment is designed to determine whether the existing control environment is robust enough to pass the suitably designed component of the auditor’s opinion.

Two key components of the pre-assessment include documenting descriptions of the internal controls and identifying control deficiencies. Since many organizations lack extensive written policies and procedures, this is not a trivial task and is typically the most time consuming and expensive part of the SSAE 18. Service organizations with a control framework have an advantage because in many cases, it provides the process and documentation necessary to minimize the effort often required in the pre-assessment phase. (Refer to What are the benefits of a control framework? for more details.)

If a service organization has never had a SSAE 18, the first-time project would include:

• Pre-assessment (Refer to Where do service organizations begin if they’ve never had a SAS 70 audit? for more details.)
• Identify type of engagement (Refer to What are the differences between the SOC Reports) and applicable control objectives or the trust service principles
• Obtain a description of controls relevant to achieving objectives
• Assess the accuracy of the description of the controls
• Identify gaps
• Develop a gap remediation strategy
• Develop a written description of controls
• Remediation
• Institute improved controls to address gaps identified in the pre-assessment
• SSAE 18 engagement
• Type I or II

A control framework helps develop the control objectives. In many cases, it provides the process and control documentation necessary to minimize the effort required in the pre-assessment phase.

A framework also provides the users of the SOC report a reliable, repeatable method to objectively measure the controls put in place by the service organization. By comparing the control objectives and activities reported by the service organization to those contained in the framework, the users can get an improved sense for the completeness of controls reported.

There are three widely recognized and distributed control frameworks:

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission developed a control framework. This framework typically forms the basis for SOC reporting.

The Control Objectives for Information and Related Technologies (COBIT) framework is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. It’s partly built upon the COSO framework.

ISO/IEC 17799 Part 1 framework for information security practices was adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Committee (IEC) in 2000. Part 2, BS 7799 was published by the British Standards Institute (BSI).

CLA believes the COBIT framework is the most useful control framework for SAS 70 reporting. COBIT’s framework maps well to COSO, and public accounting firms that audit the financial statements of public companies understand it. For these reasons, using COBIT for SAS 70 assessments is especially useful for the internal control reporting requirements contained in SOX 404.

Technically, there is no such thing as a SSAE 18 certification because a SSAE 18 attestation states an auditor’s opinion on a service organization’s internal controls and security practices for a specific period of time. However, it’s common in the marketplace to refer to a SAS 70 audit as SAS 70 certification. While the term “certification” may not be accurate; the AICPA does provide for the use of a SOC logo to be included on the service organizations website and marketing material.

A SOC report does not carry an explicit expiration, although the report does warn against the projection of the results after the period covered on the report. This typically requires service organizations to re-perform the SSAE 18 periodically and the majority of organizations conduct the SSAE 18 engagement on an annual basis.

The distribution of a SOC report is restricted to actual or potential users of the system. The plan for distributing the SOC report should be formally agreed upon in the engagement letter between the service organization and the service auditor. Service auditor’s reports are generally distributed in three ways:

A service auditor will distribute a service auditor’s report to the audited service organization at the close of a SSAE 18 engagement.

The service organization will provide copies of the service auditor’s report to their customers (the organizations that hired them to outsource business functions) who are required to show their auditors the SOC report.

The service organization will likely use the SOC report as a marketing tool to differentiate its organization from the competition.

A SSAE 18 with an unqualified opinion can be used as a marketing tool. Some service organizations are marketing their reports in proposals, email signatures, press releases, website materials, direct mail, giveaways, brochures, etc.