Service organizations that handle sensitive data or financial transactions face constant pressure to demonstrate the reliability of their internal controls. For years, the Statement on Auditing Standards No. 70, better known as SAS 70, served as the primary method for reporting on these controls.

As outsourced services have become the standard, the need for a more precise framework led to the adoption of the Statement on Standards for Attestation Engagements SSAE No. 16, or simply SSAE 16. SSAE 16 was released in April 2010 to replace SAS 70 and became effective on June 15, 2011.

This standard, established by the American Institute of Certified Public Accountants (AICPA), shifted the focus toward a more rigorous examination of a service organizationā€™s systems of control. SSAE 16 was a US auditing standard designed for service organizations to provide insight into their internal controls for clients. Compliance with SSAE 16 was often required by clients, especially in industries where financial reporting is affected. It was designed to align US auditing standards with international reporting requirements, specifically ISAE 3402. While SSAE 16 was the standard for several years, it has since been replaced by SSAE 18, which is the current standard today.

While there are many acronyms used here, it is important for us to explain how service standards have changed over the years. Understanding these standards is necessary for any company using data centers or other outsourced providers to manage their operational activities.

What Are Auditing Standards? Understanding SSAE 18 and Its Predecessors

Auditing standards are essential guidelines that certified public accountants (CPAs) follow to verify the accuracy, consistency, and reliability of financial statements and other key information. In the United States, the Auditing Standards Board (ASB) of the AICPA serves as the primary authority for developing and issuing these standards. For service organizations, adhering to these auditing standards is necessary, especially when their services impact the financial reporting of user entities.

These standards, such as the historical SSAE 16 and the current SSAE 18, provide a structured framework for reporting on controls at a service organization. This framework is essential for organizations that rely on outsourced services, as it allows user entities to assess the effectiveness of the controls in place at their service providers. By following the standards set by the AICPA, service organizations can demonstrate their commitment to transparency and accountability. Ultimately, strong auditing standards help build trust between service organizations, their clients, and other stakeholders by confirming that controls are properly designed and operating as intended.

SAS 70

SAS 70 was introduced in April 1992 and was originally intended to help auditors of financial statements understand how a service organization might impact a user organizationā€™s internal controls. Over time, the auditing world began using SAS 70 as a general-purpose security audit. This was a misapplication of the standard. SAS 70 was not a checklist for security; it was a reporting mechanism for financial controls. SAS 70 and its local derivatives were widely adopted as universally accepted audit mechanisms for reporting controls at service organizations.

The AICPA recognized this discrepancy. To correct it, they introduced SSAE 16 in 2011 to provide a fresh approach. SSAE 16 required a service organizationā€™s management to provide a written assertion about the fair presentation of the system description and the suitability of the control design. This added a layer of accountability that was missing from the older framework.

SAS 70 to SSAE 16

The move from SAS 70 to SSAE 16 marked a significant shift in how service companies reported on their operations. Under SAS 70, the auditor was responsible for describing the controls. Under the newer attestation standards, the service auditor’s role shifted to evaluating and attesting to the service organization’s system, which includes a comprehensive description of infrastructure, software, people, procedures, and data.

This change required service organizations to have a deeper understanding of their own processes. It is no longer enough to simply have controls in place; management must be able to document and assert that those controls are operating effectively. SSAE 16 requires reports to include a detailed description of the service organization’s system. SSAE 16 reports (and now SSAE 18) are considered auditor-to-auditor communications rather than certifications.

SSAE 16 vs SOC 1

One of the most common points of confusion in the industry is the relationship between the auditing standard (SSAE) and the report type (SOC). To be clear, SSAE 18 (formerly SSAE 16) is the professional standard used by the service auditor to perform the audit. The resulting document is a SOC 1 report. SOC stands for System and Organization Controls (formerly Service Organization Controls).

A SOC 1 report focuses specifically on internal controls over financial reporting. If a service organization provides services that could impact the financial statements of its clientsā€”such as payroll processing, medical billing, or financial data hostingā€”a SOC 1 report is the appropriate choice. This report helps user entities and their auditors assess the risks associated with the outsourced services.

SOC 1

When a service organization undergoes a SOC 1 engagement, the service auditor evaluates whether the control objectives are suitably designed. In a Type II report, the auditor also tests the operating effectiveness of those controls over a specific period. This provides assurance to business partners and user organization stakeholders that the service organizationā€™s system is functioning as described.

SSAE 18: The New Standard

Effective as of May 1, 2017, SSAE 18 is the current governing accounting principle authority for these types of reports. It builds upon the foundation of SSAE 16 but introduces new requirements for risk management and subservice organization monitoring.

The transition to SSAE 18 was driven by a push for transparency in the supply chain. Most service organizations rely on other vendorsā€”known as subservice organizationsā€”to deliver their own services. For example, a software provider might host its application in a third-party data center. Under SSAE 18, the primary service organization must implement appropriate controls to monitor these subservice organizations. This verifies that the entire chain of service remains compliant and secure.

Six Practical Insights on the SSAE 18 Auditing Process

From an accounting perspective, the move to SSAE 16 and eventually SSAE 18 introduced several practical changes that organizations must understand.

  1. Detailed System Description: The requirement for a “description of the system” is much more detailed than the older SAS 70 “description of controls.” Management must explain how the entire service is delivered, not just the specific control activities.
  2. Management Assertion: The written assertion from management is a formal legal statement. It means that the leaders of the service organization take full responsibility for the accuracy of the report.
  3. Global Alignment: Because SSAE 18 closely mirrors international standards (ISAE 3402), a US-based service organization can use its SOC report to satisfy international business partners.
  4. Design Matters: The emphasis on “suitably designed” controls means that even if a control is operating effectively, it could still fail the audit if it is not designed to address the relevant risk.
  5. Restricted Use: The Auditing Standards Board has made it clear that SOC 1 and SOC 2 reports are for restricted use. They are intended for the service organization, its user entities, and the auditors of those user entities. They are not meant to be public marketing documents; SOC 3 reports are available for that purpose.
  6. Continuous Compliance: Compliance is not a one-time event. It is a continuous cycle of risk assessment, control implementation, and testing.

SSAE Standards in Action: Organization Controls and Risk Management

For data centers and service companies, maintaining high-quality organization controls is a business requirement. The audit process involves identifying potential risks to the service organizationā€™s system and implementing controls to mitigate those risks. This risk management process is a core component of both SSAE 16 and SSAE 18.

Service organizations must identify the specific risks that could prevent them from achieving their control objectives. These might include risks related to physical security, logical access, or system availability. Once these risks are identified, the organization must design and implement controls to address them. The service auditorā€™s role is to verify that these controls are in place and, in the case of a Type II report, that they are working as intended.

Data Centers and SOC Reporting

Data centers are a prime example of why these standards are necessary. When a company moves its servers to a third-party facility, it loses direct oversight of the physical environment. It must rely on the data center to provide security, power, and cooling. An attestation report, such as a SOC 1 or SOC 2, provides the evidence needed to trust the data centerā€™s operational activities.

For a data center, an SSAE 18 examination typically covers controls related to:

  • Physical security and access logs
  • Environmental protections like fire suppression and UPS systems
  • Network monitoring and maintenance
  • Backup and disaster recovery procedures

By providing a SOC report, the data center offers a universally accepted audit mechanism that satisfies the compliance requirements of its diverse client base. This reduces the need for each individual client to perform their own audit of the facility.

Service Auditor Reports Type I And Type II

There are two types of service auditor reports available under the SSAE standards.

Type I: This report describes the service organizationā€™s system at a specific point in time. The service auditor reports on whether the description is fairly presented and whether the controls are suitably designed to achieve the specified control objectives as of a certain date.

Type II: This report covers a period of time, usually six to twelve months. In addition to the requirements of a Type I report, the auditor tests the operating effectiveness of the controls. This is the preferred report for most user entities because it provides evidence that the controls were functioning consistently throughout the period.

The choice between Type I and Type II depends on the needs of the user organizations. Most business partners require a Type II report to fulfill their own internal audit and compliance mandates.

The Role of the American Institute of Certified Public Accountants (AICPA)

The AICPA is the body that establishes the standards for attestation engagements. They provide the framework that CPA firms must follow when conducting these examinations. By adhering to AICPA standards, service auditors ensure that their reports are consistent, reliable, and recognized by the financial and regulatory communities.

The AICPA has also been instrumental in developing the SOC 2 and SOC 3 frameworks, which address non-financial controls. While SOC 1 focuses on financial reporting, SOC 2 is based on the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Accounting Principle Authority and Compliance

The authority of these standards is recognized across the auditing world. When a CPA firm issues a report under SSAE 18, it is providing a high level of assurance that can be trusted by shareholders, regulators, and clients. This trust is the foundation of the modern service economy. Without a universally accepted audit mechanism, the risk of data breaches and financial misstatements would be too high for many companies to consider outsourcing.

The use of these reports is also common in HIPAA compliance. While a SOC report is not a HIPAA certification, many of the controls tested in a SOC 2 audit overlap with HIPAA security rule requirements. For healthcare organizations, using a service provider with a current SOC 2 report is a major step in performing due diligence on their business associates.

Subservice Organization Monitoring

As mentioned earlier, the management of subservice organizations is a key element of the new standard. Service organizations can choose two different methods for reporting on these subservices:

  1. The Carve-Out Method: This method excludes the subservice organizationā€™s controls from the report. However, the service organization must still describe the services provided by the vendor and explain how it monitors those services.
  2. The Inclusive Method: This method includes the subservice organizationā€™s controls within the scope of the audit. This requires the subservice organization to provide its own written assertion and allow the service auditor to test its controls.

Most organizations use the carve-out method because it is less complex, but the requirement for active monitoring remains. Service organizations must demonstrate that they are reviewing the SOC reports of their vendors, conducting site visits, or using other methods to ensure the subservice organization is meeting its obligations.

Internal Controls and User Entities

The primary audience for any service auditor report is the user entity. These are the organizations that use the services of the service organization. The user entityā€™s internal control environment is directly affected by the controls at the service organization.

For example, if a company uses a cloud-based accounting system, the security of its financial data depends on the controls of the cloud provider. The companyā€™s own auditors will look at the providerā€™s SOC 1 report to determine if they can rely on the data coming out of that system. If the service organization does not have a report, the user entity may be forced to perform its own audit, which is time-consuming and expensive for both parties.

Benefits of SOC 1 and SOC 2 Reports

SOC 1 and SOC 2 reports are effective tools for service organizations seeking to provide assurance about their internal controls to clients and business partners. A SOC 1 report is specifically designed to address controls relevant to financial reporting, making it necessary for user entities that depend on accurate financial data from their service providers. In contrast, a SOC 2 report evaluates controls related to security, processing integrity, confidentiality, and availability.

The benefits of obtaining SOC 1 and SOC 2 attestation reports are significant. For user entities, these reports offer confidence that the service organization has implemented appropriate controls to protect their interests and support their own compliance requirements. For service organizations, the reports serve as evidence of a strong risk management culture.

Additionally, the process of preparing for and undergoing a SOC 1 or SOC 2 examination often helps service organizations identify areas for improvement within their systems. By addressing gaps and strengthening controls, organizations can reduce the risk of data breaches and other security threats. In todayā€™s environment, SOC 1 and SOC 2 reports have become essential for compliance and risk management.

SOC 2 and Processing Integrity

For many technology companies, a SOC 2 report is more relevant than a SOC 1. While a SOC 1 helps with financial statements, a SOC 2 provides assurance regarding the security and operational integrity of a system.

Processing integrity is a core component of SOC 2. It verifies that system processing is complete, valid, accurate, timely, and authorized. This is especially important for companies that handle large volumes of data or perform complex computations for their clients. A SOC 2 report proves that the company has the internal controls necessary to prevent data breaches and maintain system reliability.

Establishing Long Term Trust as Standards Evolve

As technology continues to change, the standards for attestation engagements will also evolve. The ever-growing pool of service providers means that the demand for transparency will only increase. Organizations that stay ahead of these changes by maintaining strong internal controls and regular audit cycles will be better positioned to win the trust of business partners.

The shift from the dated SAS 70 to the modern SSAE 18 represents a move toward greater professional rigor and accountability. By focusing on the service organizationā€™s system as a whole rather than just isolated controls, these standards provide a comprehensive view of operational health.

Relying on a service organization requires a significant amount of trust. Service auditor reports bridge the gap between that trust and the technical reality of the services performed. Whether it is through a SOC 1 report focused on financial reporting or a SOC 2 report focused on security and processing integrity, these documents provide the objective evidence that a service organization is meeting its obligations.

For any service company, the investment in an annual SSAE 18 examination is an investment in its own credibility. It demonstrates a commitment to excellence and a proactive approach to risk management. As the global de facto framework for service organization reporting, these standards remain the most effective way to provide assurance in an increasingly complex world.