The Key Differences Between SSAE-16 and SSAE-18 Assessments

Today, many organizations are concerned with the IT and security control practices used by third party providers \ vendors. Organizations are demanding independent assessments of the IT and security control measures of their third party organizations. In many cases, they are requesting some type of SSAE-16 review or an SSAE-18 assessment.


A New Standard

The new SSAE-18 standard, “Concepts common to all Attestation engagements” replaces the old SSAE-16 Standard, “Statements on Standards for Attestation engagements 16, reporting on Controls at a Service Organization” as of May 1, 2017. the old SSAE-16 Standard was based on the requirements and guidance provided by Attestation Standards section 801, reporting on Controls at a Service Organization. the new SSAE-18 Standard is based on the requirements and guidance provided by Attestation Standards section 320, reporting on an examination of Controls at a Service Organization relevant to User entities’ Internal Control Over Financial reporting.


The 6 differences that summarize the change between SSAE-18 and SSAE-16

  1. The new Standard works under a redefined SOC acronym. SOC as defined under the old SSAE-16 Standard stood for Service Organization Control. Under the new SSAE Standard, SOC now stands for System and Organizational Controls, and applies to other types of organizations and both system and/or entity-level controls.
  2. In the old SSAE-16 Standard, complementary user-entity controls were defined as those controls at user-entity organizations that were both necessary and unnecessary to achieve control objectives stated in management’s description. Under the SSAE 18 Standard, complementary user-entity controls are now defined as those controls that are only necessary to achieve control objectives stated in management’s description.
  3. The new SSAE-18 Standard adds requirements related to subservice organizations and vendor management processes. First, complementary subservice organization controls have been introduced and include those controls expected to be implemented at subservice organizations that are necessary to achieve the control objectives stated in the management’s description. When subservice organization is carved out, the inclusion of Subservice Organization Controls are now provided in management’s description similarly to Complementary User-entity Controls. Second, vendor management processes to monitor the effectiveness of controls at subservice organizations have been emphasized. Vendor monitoring activities provided in the new Standard include:
    1. Reviewing and reconciling output reports
    2. Holding periodic discussions with the subservice organization
    3. Testing controls at the subservice organization by members of the service organization’s internal audit department
    4. Reviewing type 1 or type II reports on the subservice organization's system
    5. Monitoring external communications, such as customer complaints relevant to the services provided by the subservice organization
  4. The new SSAE-18 Standard adds requirements for the risk assessment process in general and includes the risks associated with the reliance on controls expected to be implemented at user-entities and subservice organizations.
  5. The new SSAE-18 Standard requires that the Management Assertion letter accepting responsibility for the description be signed. Previously, under the old SSAE 16 Standard, a Management Assertion letter was required but it did not have to be signed.
  6. The new SSAE-18 Standard has also included revisions to the language used in the Management Assertion Letter and Service Auditor’s report to accommodate general changes and those associated with complementary user-entity and subservice organization controls.
Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

Penetration Testing for Compliance

How to Hire a Good Pen Testing Firm

Although internal pentesting is common in some larger companies, hiring an external pentesting firm helps eliminate bias and bring in new techniques from experienced professionals …
Penetration Testing made simple

Why Does My Company Need Penetration Testing Services?

Penetration testing services are crucial if you want to protect your company, but why do you need them? Learn more in this guide …
payment card industry

What are the 12 Requirements of PCI DSS Compliance?

PCI Compliance requirements are created by the PCI Standards Council in order to secure and protect the entirety of the payment card ecosystem …