SSAE 18 Changes & Requirements
The SSAE 18 replaced the SSAE 16, which used to be called the SAS 70. Whew, with all those letters and numbers, the significance of SSAE 18 requirements get a little lost in the complexity of the naming process. However, breaking down the requirements can make the compliance process easier.
What Does SSAE Mean?
SSAE stands for “Statement on Standards for Attestation Engagements.” SSAEs were set forth by the American Institute of Certified Public Accountants (AICPA). These formalize the auditing standards for CPAs.
The first step to understanding SSAE 18 requirements is understanding what “SSAE” means. “Attest engagement” may seem like a fancy term for “audit,” but it has a specific meaning. Per the AICPA, attest engagements are when an accountant in public practice is “engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about the subject matter (hereafter referred to as the assertion), that is the responsibility of another party.”
In short, an attest engagement is pretty similar to, but a bit broader than, an audit. Attestation standards require looking what management says is happening and then determines how close to the statements the reality is.
An audit is a type of attestation engagement wherein the third party reviews whether the client is following specific rules within a specified framework.
For example, a company can ask for an attestation that they are properly protecting customer data. The practitioner investigates whether management controls match their goals. This attestation is then given to interested parties, likely future customers or clients, to create confidence in management. The audit is more specific and remains private. The audit verifies that the client is following all the internal control rules for PCI DSS or ISO 27001 or FedRAMP. The SSAE may incorporate the audit data, so the two are intertwined. However, they are slightly different in both purpose and evidence.
How Is an SSAE 18 Used?
Over the course of IT audit history, the type of report used to ensure client confidence over an organization’s controls has changed. User entities, or those organizations that use a service organization, need to show that they have maintained review as part of their vendor management protocols.
Back in the day, these reports were referred to as SAS 70s. When hiring a vendor, appropriate vendor management required review of the vendor’s controls.. When contracting with a vendor, review of the SAS 70 was used as proof of appropriate management oversight.
As the SAS 70 morphed into the SSAE 16, the goals of the reports remained the same while the specifics changed. In 2016, the Auditing Standards Board (ASB) attestation requirements for SOC reports, specifically SOC 1, underwent a recodification.
An SSAE 16 was specific to service organizations and SOC 1. The main difference between SSAE 16 and SSAE 18 requirements lies in the applicability of SSAE 18 to all attestation examinations. What used to be specified only for certain service organizations has been expanded to anyone incorporating an attestation engagement. Therefore, while SOC 1 reports used to constitute SSAE 16 examinations, the expanded use of SSAE 18 means that SOC 1 reports are back to being, well, SOC 1 reports.
What Are the Key Differences Between SSAE 16 and SSAE 18 Requirements?
Understanding SSAE 18 requirements means clearly delineating the differences from an SSAE 16. Although there are only two main divergences from former protocols, they are pretty huge changes.
Identify All Subservice Providers
Everyone knows the game “6 Degrees of Kevin Bacon.” Functionally, an SSAE 18 plays that game with service providers.
A service organization is, as the name suggests, any entity that provides a service. This can be anything from PCI DSS services to cloud hosting. However, many of those service providers also use service providers. These have been deemed “subservice organizations,” and they offer services to the service providers.
The Kevin Bacon analogy works well here. The theory of “6 Degrees of Kevin Bacon” is that every actor in Hollywood is somehow connected to Bacon. In fact, this game is so popular that even Google has a shortcut. Simply type in an actor’s or actress’s name followed by “bacon number.” This will show the connections.
For example, Bill Gates has a “Bacon Number” of 3. Bill Gates and William Shatner appeared in How William Shatner Changed the World. William Shatner and Sarah Jessica Parker appeared in Escape from Planet Earth. Sarah Jessica Parker and Kevin Bacon appeared in Footloose.
Similarly, Barack Obama is only one step away from Kevin Bacon. Barack Obama and Steve Carell appeared in We Are One: The Obama Inaugural Celebration at the Lincoln Memorial.
Steve Carell and Kevin Bacon appeared in Crazy, Stupid, Love.
Vendors work similarly. For example, imagine an organization that uses AWS. AWS might contract out its physical security to Securitas. Securitas likely contracts out its background checks. Understanding these connections helps map the strength of all the controls involved.
Understanding SSAE 18 requirements means not just identifying all the degrees of separation but then analyzing all of these connections to create a whole out of the parts.
Understand Complementary Subservice Organization Controls
Once the subservice providers have been identified, you need to identify the controls those providers use. The main difference in these scenarios is that when you rely on vendors, hiring one is hiring all. To truly understand a compliance stance, your organization needs to understand all of the different moving parts clearly.
Putting this into Bacon Number terms, evaluating Bill Gates and Barack Obama based on their degrees of separation from Kevin Bacon offers insight into their power in entertainment.
Bill Gates is related to William Shatner in a spoof. Shatner is related to Sarah Jessica Parker. Neither of have been awarded an Academy Award for their performances. The movie that connects Shatner and Parker is Escape from Planet Earth, which scored a 33% on Rotten Tomatoes. Footloose, scoring a 58% on Rotten Tomatoes, connects Bacon and Parker. Based on the ratings of the connections, you can make an assumption about the artistic content of Bill Gates’ movie credentials can be made, and it’s that he’s not an art house movie actor.
Barack Obama is related to Steve Carell through his inauguration ceremony. Steve Carell won the 2015 Oscar for Best Actor. The movie that connects Steve Carell and Kevin Bacon is Crazy, Stupid, Love. This movie scores a 78% on Rotten Tomatoes. Based on the connections and ratings, Barack Obama’s connection to Bacon has strong artistic merit.
Reviewing the credentials of each step leads to a better understanding of the original non-actor’s artistic merit.
In the same way that these social connections and this social distance implies quality, so do the SSAE 18 service auditor reviews of subservices. Being in SSAE compliance means evaluating each step of the separation for security compliance. If one of these fails, there’s a domino effect on the others. This means that a service organization needs to detail and monitor the controls of the subservice organizations in its business stream.
The stronger the compliance of the connections, the better the compliance of the overall business integrations.
How Does an Organization Comply with SSAE 18?
One of the first steps to SSAE 18 SOC 1 compliance is having a risk assessment. SOC 2 traditionally focuses on a risk matrix, but SOC 1 does not require this. With the incorporation of these new subservice provider reviews, SSAE 18 focuses more on your organization’s overall vendor risk profile.
Beyond that, SSAE 18 notes six ways to improve compliance. First, organizations should review and reconcile output reports, including financial reporting and external communications. Second, communication matters, so having periodic discussions with subservice organizations can provide assurance. Third, companies can make regular site visits to subservice organizations to validate their statements. Fourth, an organization’s internal audit function should test subservice vendor controls. Fifth, management should review the SOC 1 or SOC 2 reports provided by the subservice organization. Sixth, an organization should monitor external communications, such as customer complaints about services, from its subservice vendors.
How Can GRC Automation Help with SSAE 18 Requirements?
As vendor management becomes more complex with more service providers and subservice providers to manage, organizing the information in a single location becomes more important. When your auditor comes to validate your controls, they will consider management’s oversight of subservice providers. This oversight revolves mostly around documentation and its review. Proving this to auditors means having a system of record to show the whos, whens, and hows of review.
With this in mind, automation provides not only a repository for that documentation but also a way to create the documentation. With records of task assignments and completions, GRC automation gives a single source of truth for the oversight needed to meet SSAE 18 attestation requirements.
Negotiating the change to SSAE 18 requirements means understanding your organization’s business partners as well as their partners. Managing the documentation and responsibilities to meet these new standards means finding ways to organize information.
For more information about the importance of vendor management, watch our webinar “Follow the Data: 9 Strategies to Making 3rd Party Risk Less Opaque.”