Globalization has enabled companies to grow, but it also comes at a cost. It has forced businesses to evolve and adapt to the current business environment. Businesses are forced to specialize in what they do best and outsource the rest to firms and vendors. This has helped reduce costs, meet demand, gain compliance, etc. but it also poses risks. These risks include higher transaction costs, loss of control, loss of innovation, loss of organizational trust, cyber-attacks, etc.
SSAE 18 reports help mitigate some of these risks. These reports offer more visibility into the operations of potential vendors. This will help businesses evaluate whether the vendors or firms they intended to contract for some of your services are a good fit.
What Is SSAE 18?
SSAE 18 was formulated by the American Institute of Certified Public Accountants (AICPA). It’s an acronym for Standards for Attestation Engagements and was created to evaluate service organizations.
The SSAE 18 is an update of the SSAE 16. Its primary purpose is to streamline the review process and clarify the standards. It also demands that companies gain a better understanding of every organization they contract services to. Businesses contract these organizations to provide services or perform activities that often have financial implications on their clients. These organizations are referred to as subservice organizations.
SSAE 18 isn’t a certification despite companies claiming that they are SSAE 18 certified. The same applies to SSAE 16 and SAS 70.
Difference Between SSAE 18 And SSAE 16
SSAE 16 was the go-to standard for vendors and data centers until SSAE 18 was introduced in May 2017 as its replacement. SSAE 18 differs from SSAE 16 in the following ways:
- SSAE 18 has specific requirements, unlike SSAE 16, which has general considerations of risks. The former requires auditors to assess the subject and obtain a better understanding of the subject, thus making it easy to identify the risks involved. Once the auditor identifies the risks, it becomes easier to formulate measures as a response to the said risks.
- According to SSAE 18 requirements, the auditor has to obtain a written assertion. The assertion is a statement included in the SSAE 18 report, which verifies that the details provided by the service organization are accurate and complete. It strengthens the credibility of the SSAE 18 report. The assertion was also included in the SSAE 16 reports, but there was no requirement stating that it needed to be signed.
- SSAE 18 requires service organizations to disclose all subservice organizations it works with and the nature of the relationship.
- It also requires service organizations to increase vigilance by constantly vetting subservice organizations. There is also the need to implement tools to monitor security controls at the respective subservice organizations.
Impact Of SSAE 18 On Subservice Organization
SSAE 18 provides standards that subservice organizations are required to implement as a way of managing their systems and protecting customer data. In any customer or client relationship, trust, and integrity help secure a long term partnership.
Client’s need to focus on their core business service as the providers handle their part. The partnership won’t last long if the client keeps questioning the provider’s internal controls and security measures.
Companies view SSAE 18 reports as an indication that the subservice organization is forthright, and they are more inclined to trust the service provider. The report will keep these companies at ease when contracting part of their services or operations. So many things can go wrong but the
SSAE 18 reports offer the assurance that companies need to trust the subservice providers.
As for the subservice organization, an audit gives better insight into their organization, systems, controls, processes, etc. The report details the audit from the perspective of an outsider. There is almost zero chance of bias; thus, the report is considered accurate. All the issues in the organization are highlighted, and recommendations offered.
The auditors will point out the flaws in your organization and areas that are at par with the SSAE standards. Since they have experience working with similar companies, the auditors will recommend tips and measures that are beneficial. Also, the idea of an outsider auditing your company is enough to motivate you to improve the company’s performance, security measures, etc.
SSAE 18 has tons of benefits for service organizations; some are adding the report in their email signatures, website materials, proposals, etc. as a marketing tool. While SSAE 18 reports are not mandatory, they offer subservice organizations an advantage over their competitors who lack the report.