All About SSAE 18
Statement of Standards for Attestation Engagements (SSAE) No. 18 – Attestation Standards: Clarification and Recodification, went into effect on May 1, 2017. This post is the second in a four-part series on the changes that will come along with this new standard, and what practitioners and service organizations need to know to ensure continued compliance.
SSAE No. 18 is part of an overall effort by the Auditing Standards Board (ASB) to update and clarify professional standards, with clarified provisions standards carrying an AT-C designation. The statement also advances efforts to converge U.S. auditing standards with those set by the International Auditing and Assurance Standards Board (IAASB).
No. 18 incorporates common concepts, levels of service and subject matter. Practitioners and service organizations need to be aware of each of these items, outlined below.
Common Concepts
AT-C section 105 requires any attestation engagement or review to be based on the following concepts, which are similar to requirements for financial statement audits or reviews:
- A party other than the practitioner is responsible for the subject matter.
- Subject matter must be appropriate.
- Criteria used to prepare and evaluate subject matter must be suitable and available.
- Evidence must be obtained to issue an opinion, conclusion or findings.
- A written report must be issued containing an opinion, conclusion or findings.
Levels of Service
AT-C sections 205, 210 and 215 restructure level of service standards previously contained in AT sections 101 and 201. New service level requirements include:
- Written assertion and representation letter requirements
- In-depth risk assessment
- Scope limitation considerations
Subject Matter
SSAE No. 18 includes guidance specific controls at a service organization relevant to a user entity’s internal controls over financial reporting. Guidance for service organizations and other reporting subject matters can be found in AT-C sections 305, 310, 315 and 320.
The changes associated with SSAE 18 directly affect Service Organization Control (SOC) report requirements and as a result, all SOC examinations (SOC 1, 2 and 3) will be issued under SSAE 18 going forward. Take Weaver’s short SOC quiz to help you determine which type of SOC report is best suited for your organization.