The Key Differences Between SSAE-16 and SSAE-18 Assessments

Today, many organizations are concerned with the IT and security control practices used by third party providers \ vendors. Organizations are demanding independent assessments of the IT and security control measures of their third party organizations. In many cases, they are requesting some type of SSAE-16 review or an SSAE-18 assessment.

A New Standard

The new SSAE-18 standard, “Concepts common to all Attestation engagements” replaces the old SSAE-16 Standard, “Statements on Standards for Attestation engagements 16, reporting on Controls at a Service Organization” as of May 1, 2017. the old SSAE-16 Standard was based on the requirements and guidance provided by Attestation Standards section 801, reporting on Controls at a Service Organization. the new SSAE-18 Standard is based on the requirements and guidance provided by Attestation Standards section 320, reporting on an examination of Controls at a Service Organization relevant to User entities’ Internal Control Over Financial reporting.

The 6 differences that summarize the change between SSAE-18 and SSAE-16

1. The new Standard works under a redefined SOC acronym. SOC as defined under the old SSAE-16 Standard stood for Service Organization Control. Under the new SSAE Standard, SOC now stands for System and Organizational Controls, and applies to other types of organizations and both system and/or entity-level controls.
2. In the old SSAE-16 Standard, complementary user-entity controls were defined as those controls at user-entity organizations that were both necessary and unnecessary to achieve control objectives stated in management’s description. Under the SSAE 18 Standard, complementary user-entity controls are now defined as those controls that are only necessary to achieve control objectives stated in management’s description.
3. The new SSAE-18 Standard adds requirements related to subservice organizations and vendor management processes. First, complementary subservice organization controls have been introduced and include those controls expected to be implemented at subservice organizations that are necessary to achieve the control objectives stated in the management’s description. When subservice organization is carved out, the inclusion of Subservice Organization Controls are now provided in management’s description similarly to Complementary User-entity Controls. Second, vendor management processes to monitor the effectiveness of controls at subservice organizations have been emphasized. Vendor monitoring activities provided in the new Standard include:
   1. Reviewing and reconciling output reports
   2. Holding periodic discussions with the subservice organization
   3. Testing controls at the subservice organization by members of the service organization’s internal audit department
   4. Reviewing type 1 or type II reports on the subservice organization's system
   5. Monitoring external communications, such as customer complaints relevant to the services provided by the subservice organization
4. The new SSAE-18 Standard adds requirements for the risk assessment process in general and includes the risks associated with the reliance on controls expected to be implemented at user-entities and subservice organizations.
5. The new SSAE-18 Standard requires that the Management Assertion letter accepting responsibility for the description be signed. Previously, under the old SSAE 16 Standard, a Management Assertion letter was required but it did not have to be signed.
6. The new SSAE-18 Standard has also included revisions to the language used in the Management Assertion Letter and Service Auditor’s report to accommodate general changes and those associated with complementary user-entity and subservice organization controls.