The Statement on Standards for Attestation Engagements 18, or SSAE 18, is a standard that auditors can use to review the controls of technology vendors and other service providers so that businesses using those vendors can be confident that the vendors’ controls—particularly those related to cybersecurity—won’t pose a risk to your own business.
The standards within SSAE 18 are the basis for the System and Organization Controls (SOC) reports that vendors produce, usually to show prospective customers that the vendor’s data security controls and third-party governance are effective.
SSAE 18: How It Works
In place since 2017, SSAE 18 is a product of the American Institute of Certified Public Accountants (AICPA), the body that establishes CPA auditing standards.
An “attestation engagement” is similar to an audit, but its scope is a bit broader. Under the AICPA’s definition, an attestation engagement refers to an accountant hired to issue “an examination, a review, or an agreed-upon procedures report on the subject matter, or an assertion about the subject matter … that is the responsibility of another party.”
Put simply, attestation engagements review what management says is happening and then determine whether those statements reflect reality.
For example, a company might ask for an attestation that it’s properly protecting customer data. The auditor investigates whether management controls match the company’s goals. The attestation then goes to interested parties, potential customers, or clients, to create confidence in management.
In contrast, an audit is a specific type of attestation engagement where the auditor reviews whether the client is following the rules of a specified framework.
The audit is more specific and remains private. Continuing with our customer data example from above, an audit would verify that the company is following all the internal control rules for PCI DSS, ISO 27001, or FedRAMP security standards. An SSAE might incorporate the audit data, so the two are intertwined, but they still differ in their purpose and evidence.
SSAE 18: A Brief History
The type of report used to provide assurance over a vendor’s controls has changed over the years.
These reports were originally called “Statement on Auditing Standards No. 70” or SAS 70 reports. When a business was hiring a vendor, it had to review the vendor’s controls as part of good vendor risk management. A review of the vendor’s SAS 70 report was one way to gain that assurance.
SAS 70 eventually was eventually rebranded as SSAE 16; the broad objectives of the reports remained the same, although the specifics changed somewhat. The Auditing Standards Board later changed its standards yet again, so that SSAE 16 applied specifically to internal controls over financial reporting, while SSAE 18 applied to attestations for all types of internal controls.
How SSAE 18 Is Used
A service organization is any entity that provides a service to others: data storage, website hosting, payroll services, legal help, and so forth. Many service providers, however, also use other service organizations. These secondary organizations are known as “subservice organizations.”
For example, a payroll business might use Amazon Web Services to maintain its website. AWS might contract out its physical security to a professional security firm. That security firm might outsource the performance of background checks on new hires.
Understanding all these connections helps to map out the strengths and weaknesses of internal controls that each of those organizations has, in case a failure in one might somehow cause problems for another.
SSAE 18 requirements help to analyze the connections. An SSAE 18 service auditor evaluates your service providers and subservice providers for their security compliance, and the resulting attestation report can help a business make better decisions about which service organizations to use. (Or, for service organizations themselves, the report can guide their plans to improve internal controls.)
How to Comply With SSAE 18
SSAE 18 identifies six ways to improve compliance.
- Review and reconcile output reports, including financial reporting and external communications.
- Communication matters a lot, so having periodic discussions with subservice organizations can provide assurance.
- Make regular site visits to subservice organizations to validate their statements.
- Have your internal audit function test your subservice vendor controls.
- Management should review the SOC 1 or SOC 2 reports provided by subservice organizations.
- Monitor external communications, such as customer complaints about services, from subservice vendors.
How GRC Automation Can Help
As vendor risk management becomes more complex, with ever more service providers and subservice providers to manage, organizing all the information in a single location becomes more important. GRC automation increases your efficiency at that task.
When your auditor comes to validate your controls, they will consider management’s oversight of subservice providers, asking to see documentation and evidence that managers have reviewed it.
GRC automation can provide not only a repository for that documentation but also a way to create it. With records of task assignments and completions, ZenGRC uses “a single source of truth” repository to collect and store oversight documents needed to meet SSAE 18 attestation requirements.
Stop Worrying, Start Complying
Are you tearing out your hair trying to survey and track all your vendors and subservice providers, and then document their responses using email and spreadsheets? Stop! ZenGRC can do most of this work for you, automatically.
For more information about the importance of vendor management, watch our webinar “Follow the Data: 9 Strategies to Making 3rd Party Risk Less Opaque.” Or contact us now for your free consultation, and start on the worry-free path to SSAE 18 compliance.