Error loading pages

Understanding the Difference Between SSAE 16 and SSAE 18.

Demystifying the Differences Between SSAE 16 and SSAE 18 Auditing Standards

In the world of auditing and attestation engagements, standards evolve to keep pace with the changing business landscape. Two important auditing standards, SSAE 16 and SSAE 18, are critical for service organizations seeking to assure their clients and partners of their commitment to controls and security. In this blog, we'll dive into the distinctions between SSAE 16 and SSAE 18 and explain how these changes impact service organizations and their auditors.

SSAE 16 - The Earlier Standard

1. Introduction:

  • Development Date: SSAE 16, short for Statement on Standards for Attestation Engagements No. 16, was introduced by the American Institute of Certified Public Accountants (AICPA) in 2010.
  • Purpose: It was designed to assess the internal controls over financial reporting for service organizations, especially those that could impact the financial statements of their clients.

2. Control Assessments:

  • Type I vs. Type II: SSAE 16 audits involved two types of reports: Type I, which evaluated the design of controls, and Type II, which assessed the design and operational effectiveness of controls over a specified period.

SSAE 18 - The Evolved Standard

1. Introduction:

  • Development Date: SSAE 18, titled "Attestation Standards: Clarification and Recodification," replaced SSAE 16 in 2017.
  • Scope Expansion: Unlike its predecessor, SSAE 18 covers a broader range of attestation engagements beyond internal controls over financial reporting.

2. Control Assessments:

  • Clarified Terminology: SSAE 18 introduced clarified terminology. The previous Type I and Type II reports are now referred to as "Description Criteria" and "Control Criteria."
  • Complementary User Entity Controls: SSAE 18 recognizes the importance of complementary user entity controls, which are controls that are integral to achieving the service organization's objectives but are the responsibility of the user entity.

3. Reporting Structure:

  • One Report, Multiple Criteria: SSAE 18 consolidates multiple attestation standards into a single framework. This allows service organizations to include different sets of criteria in a single report if they serve multiple user entities with varying requirements.

4. Communication with User Entities:

  • Mandatory Communication: SSAE 18 mandates that the service auditor must communicate specific information with user entities. This includes significant deficiencies and material weaknesses in controls, as well as any non-compliance with the entity's policies.

5. Risk Assessment:

  • Enhanced Risk Assessment: SSAE 18 places a greater emphasis on the service auditor's assessment of risk. It requires the auditor to consider the potential impact of a service organization's services on user entities' financial reporting.

Choosing Between SSAE 16 and SSAE 18:

Service organizations and their auditors need to consider various factors when determining whether SSAE 16 or SSAE 18 is the appropriate framework:

Engagement Scope: If the engagement extends beyond controls over financial reporting, SSAE 18 is the more suitable standard.

User Entity Requirements: If you serve multiple user entities with varying requirements, SSAE 18's flexibility may be advantageous.

Risk Assessment: Consider the level of risk associated with your services and whether SSAE 18's emphasis on risk assessment is beneficial.

In conclusion, SSAE 16 and SSAE 18 represent distinct milestones in the world of attestation standards. SSAE 18's expanded scope, clarified terminology, and enhanced risk assessment make it a more comprehensive and flexible framework for assessing controls and security in service organizations. Understanding these differences is crucial for service organizations and their auditors to ensure they select the most appropriate standard for their specific engagement needs.