The SSAE 18, or Statement on Standards for Attestation Engagements No. 18, auditing standards require that service organizations confirm and re-confirm third-party vendor certifications and controls on an ongoing basis.

Overseen by the American Institute of Certified Public Accountants (AICPA), SSAE 18 governs how companies report on their internal controls. According to the AICPA, attest engagements are when an accountant in public practice is “engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about the subject matter (hereafter referred to as the assertion), that is the responsibility of another party.”

These audits usually result in System and Organization Controls (SOC) reports that offer information that’s necessary to accurately evaluate the risks associated with outsourced vendors. Service auditors are required to follow these rules when they conduct SSAE 18 engagements. 

SSAE 18 was issued in 2017 to replace the SSAE 16 standards, which replaced the Statement on Auditing Standards No. 70, or SAS 70. SSAE 18 imposes greater scrutiny on how service organizations evaluate and report on their third-party vendors. The SSAE 18 report is іntеndеd to be used bу a service organization’s сuѕtоmеrѕ and its аudіtоrѕ.

As such, SSAE 18 requires service organizations to apply the same risk assessment standards to vendors they work with directly as well as indirectly. The reason for that is when a service organization contracts with a third-party vendor to provide a service, that third-party vendor likely subcontracts some of its services out to another provider.

Under SSAE 18, these providers are classified as “sub-service organizations.” And that means that they must undergo the same risk assessments to evaluate their organizational controls before the original service organization can receive a SOC attesting that it has the proper systems in place to manage risk.

SSAE 18 aims to avoid situations where customers might unwittingly expose their companies to risk because their service organizations partnered with sub-service organizations that didn’t have the necessary risk management policies and procedures in place.

The standards set out by SSAE 18 apply directly to creating SOC reports, which come in these three forms:

  • SOC 1: This audit reports on whether a service organization has effective internal controls in place that relate to financial reporting to protect customer data.
  • SOC 2: This audit assesses internal controls pertaining to security, including data availability, confidentiality, privacy, and processing integrity.
  • SOC 3: Like a SOC 2 audit report, this SOC report attests to the appropriateness of internal security controls without offering any specific descriptions of an organization’s systems. SOC 1 and SOC 2 reports are available to clients who use the services of service organizations, but a SOC 3 report is for the general public or marketing purposes. This lets potential clients see that a service organization is compliant without disclosing any critical or proprietary corporate information.

A service organization should follow a SSAE 18 checklist to ensure compliance that includes the following tasks. A service organization should:

  • Determine the Service and Organization Controls report necessary for the organization as each SOC report requires different information.
  • Find a CPA firm that aligns with its needs.
  • Define the sub-service organizations and complementary user entity controls that need to be reviewed as part of the audit. 
  • Set internal control objectives, including defining the internal controls that require review.
  • Have constant communication with its third-party vendors.
  • Visit these third-party vendors regularly to ensure everything is operating efficiently.
  • Perform internal control audits for its third-party vendors.