Statement on Standards for Attestation Engagements (SSAE 18)
Governance & ComplianceDefinition
Auditing standard for reporting on internal controls.
Technical Details
SSAE 18 is an auditing standard established by the American Institute of Certified Public Accountants (AICPA) for reporting on internal controls over financial reporting and related services. It provides guidelines for auditors to evaluate the design and operating effectiveness of controls relevant to the services provided by service organizations. This standard supersedes SSAE 16 and emphasizes the need for service organizations to demonstrate their internal control environments through rigorous testing and reporting, ensuring that user entities can rely on the control reports issued by these organizations.
Practical Usage
In practice, SSAE 18 is crucial for service organizations that handle sensitive data or financial information on behalf of clients. Companies such as cloud service providers, data centers, and managed service providers often undergo SSAE 18 audits to provide assurance to their clients that their internal controls are effective. This assurance is vital for compliance with regulations such as Sarbanes-Oxley (SOX) and for building trust with customers who require evidence of a robust control environment. Organizations use SSAE 18 reports to assess risks associated with outsourcing services and to ensure that third-party vendors maintain adequate security measures.
Examples
- A cloud storage provider undergoes an SSAE 18 audit to demonstrate its controls over data protection, ensuring that its clients' sensitive information is secure and that the provider complies with industry standards.
- A financial services company requires its third-party payment processor to provide an SSAE 18 report to verify that the processor's internal controls around financial transactions are effective and reliable.
- An IT managed services firm completes an SSAE 18 audit to assure its clients that it maintains strict access controls, incident response procedures, and data integrity measures.