Making the Switch from SSAE 16 to SSAE 18

When service organizations receive a SOC 1 examination, it is performed under the SSAE 16 or “Statements on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization” standard.

In the Spring 2016, The AICPA’s Auditing Standards Board (ASB) completed the clarity project, the result of which was the issuance of the SSAE 18 standard, “Concepts common to all Attestation Engagements”. This new standard replaces SSAE 16 for SOC 1 engagements and goes into effect for reports dated after May 1, 2017.

It is important to note that the SSAE 16 standard was specific to service organizations and the SSAE 18 is for all attestation engagements. This means that we can no longer refer to SOC 1 as an SSAE 16 examination and it will not be replaced by the term SSAE 18 examination. Instead, it will simply be referred to as the SOC 1.

Despite the potential for confusion related to the naming of the examinations and reports, the actual changes to what a service organization has to do to prepare for an examination is not extensive. Here are four changes that come with SSAE 18 that affect the SOC 1 examination.


  1. Vendor Management

The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust.  SSAE 18 is requiring that service organizations implement processes that monitor the controls at subservice organizations. SSAE 18 provides the following control suggestions:

  • Review and reconcile output reports.
  • Hold periodic discussions with the subservice organization.
  • Make regular site visits to the subservice organization.
  • Test controls at the subservice organization by members of the service organization’s internal audit function.
  • Review Type I or Type II reports on the subservice organization’s system.
  • Monitor external communications, such as customer complaints relevant to the services by the subservice organization.
  1. Risk Assessment

Another change in what will be required by SSAE 18 will be in the area of more specific requirements as opposed to the existing general considerations of risk via a risk assessment.  SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, in order to better identify the risks of material misstatement in an examination engagement. This, in turn, should lead to an improved linkage between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

  1. Complementary Subservice Organization Controls

SSAE 16 required that service organizations provide a listing of controls that should be performed by user organizations.

In order to recognize that more organizations are outsourcing key functions to their own set of subservice organizations, SSAE 18 introduces the concept of “Complementary Subservice Organization” controls. This concept establishes and defines the controls for which user entities must now assume in the design of the system description. Another key factor related to these complementary controls is that they are necessary for the achievement of control objectives in the report. SSAE 18 provides more guidance around this area, and will hopefully lead to more consistent reporting across entities and practitioners.

  1. Written Assertion Requirement

The final change to the SOC 1 is the requirement, per SSAE 18, that the service auditor obtains a written assertion. This written assertion is the statement found within the SOC report wherein the service organization asserts that the system description provided is essentially true and complete. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional. In practice, the majority of service organizations have already been signing this document, as a way to strengthen the credibility of the report. Accordingly, there will not be significant changes to what either the service auditor or service organization will have to do to meet this requirement.

It is important for you to understand these changes and how it will impact your organization before the standard goes into effect in May 2017. Our assessors can prepare you for this change and ensure you stay in compliance. Contact A-LIGN today for assistance at [email protected] or 1-888-702-5446.

What are the differences between ISAE 3402 and SSAE 16?

The preferred reports for service organizations with direct impact on internal controls over financial reporting of their clients are the SSAE 16 (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants) and ISAE 3402 (International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board). While these reporting options were designed to aligned, there is a common misconception that an SSAE 16 examination and an ISAE 3402 examination are exactly the same. A careful review shows that there are actually nine key differences that make ISAE 3402 distinct from an SSAE 16.

The Differences Between ISAE 3402 and SSAE 16

  1. Intentional Acts by Service Organization Personnel

SSAE 16 requires the service auditor to investigate any noted deviations that could have been caused by an intentional act of service organization personnel. It also requires that the auditor receives written representation from service organization management detailing any actual, suspected or alleged intentional acts that could affect the fair presentation of management’s description of the system. An example of an intentional act could be something such as an employee committing fraud.

While both standards require the investigation of any deviation’s identified, the ISAE 3402 does not explicitly require auditors to obtain the written representations.


  1. Anomalies

An operating anomaly is something that deviates from the standard. ISAE 3402 contains a requirement that allows a service auditor to conclude that a deviation that is identified when testing a sample of the control can be considered an anomaly. This is because of the idea that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.

On the other hand, SSAE 16 treats all deviations in the same manner, rather than as an anomaly.

  1. Direct Assistance

SSAE 16 requires that the service auditor applies U.S. audit standards guidance when the service auditor uses members of the service organization’s internal audit function to provide direct assistance.

ISAE 3402, on the other hand, does not provide for use of the internal audit function for direct assistance.

  1. Subsequent Events

SSAE 16 requires that the auditor discloses any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended.  However, ISAE 3402 limits the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.

Following the release of the report, the SSAE 16 also requires the service auditor to adapt and apply the appropriate U.S. audit standards guidance if they become aware of conditions that existed at the report date and could have affected management’s assertion had the service auditor known about them.

  1. Statement Restricting Use of the Service Auditor’s Report

SSAE 16 requires that the service auditor’s report include a statement restricting the use of the report to management of the service organization, user entities, and user auditors.

ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities, and user auditors, but does not require a statement restricting its use.

  1. Documentation Completion

ISAE 3402 requires that the service auditor assembles the appropriate documentation in an engagement file and complete assembly after the completion of the service auditor’s report.

SSAE 16 also requires this measure but has a 60-day timeline following the service auditor’s report release date.

  1. Engagement Acceptance and Continuance

SSAE 16 establishes that management acknowledges and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement.

ISAE 3402 does not require this acknowledgment.

  1. Disclaimer of Opinion

If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor disclaim an opinion after discussing the matter with management. If this were to occur, the auditor is required to take action.

SSAE 16 requires that the service auditor takes action as well in the same manner or by withdrawing from the engagement.  The SSAE 16 also contains certain incremental requirements when the auditor plans to disclaim an opinion.

  1. Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report

SSAE 16 contains certain requirements that are incremental to those in ISAE 3402. These requirements are as follows:

  • The identification of any information included in the documentation that is not covered by the service auditor’s report.
  • A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the achievement of the control objectives.
  • A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.
  • A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.

Reporting Options

While both SSAE 16 and ISAE 3402 are designed to accomplish the same goal in terms of reporting the establishment of effectively designed controls over financial reporting, some service organizations may need to provide reports to their clients (user entities) under each standard. Often this is driven by the need to perform services within and outside of the United States. For those service organizations, the U.S. based standard allows for SSAE 16 reporting to be performed in accordance with the ISAE 3402 standards, often referred to as a combined report.

When considering the reporting options that makes sense for your organization, it is important to work with an experienced assessor who can understand the unique needs of your company. A-LIGN has conducted more than 4,000 SOC 1, SOC 2 and ISAE 3402 reports and understands the challenges that each can present for an organization seeking a report. Contact us now to find out more about how A-LIGN can help at [email protected] or call 888-702-5446.

How SOC Audits Can Help Save on Errors & Omissions Insurance

E/O Insurance As many companies look to reduce costs, one cost that continues to rise as the company grows is Errors and Omissions (E/O) insurance premiums. Both company liability and personal liability of the board of directors and owners is a topic that continues to be a focus of litigation. One of the ways a company can demonstrate they have sound controls over their control environment (which includes the tone at the top, board of directors’ participation, management oversight, etc) is to have a SOC audit conducted by a third-party auditing firm such as A-LIGN.  Continue reading “How SOC Audits Can Help Save on Errors & Omissions Insurance”

Ask A-LIGN: Why is the SAS 70 audit still asked for? I thought it no longer existed?


Correct. The SAS 70 audit has been out of existence since June 15, 2011. Many organizations are still being asked for SAS 70, frankly, due to the fact of its nearly 20-year existence and lack of education surrounding the change of the standard.

Here’s Why:

Since SAS 70 has been around nearly 20 years, its terminology seems stuck in the written agreements of many organizations that have long-term contractual obligations. Transitioning SAS 70 out of audit terminology is going to take an effort from the profession, as well as, publicity of the profession to make sure that these organizations understand SSAE 16, its replacement of SAS 70, and what it brings to the table to align it more with an assertion based report rather than a direct reporting on the controls. Continue reading “Ask A-LIGN: Why is the SAS 70 audit still asked for? I thought it no longer existed?”

Why do my clients ask me for a SOC 1/SSAE 16 Report?

Let’s spend a few minutes getting back to basics. Why do your clients ask for a SOC 1/SSAE 16 report to be provided?  Your clients ask because their auditors probably asked for it.  So why do your auditors ask for this report?  The roots for SSAE 16 can be traced back to SAS 70 and even further to SAS 55.  The understanding of internal controls is a fundamental component of performing a financial audit.  I spent time early in my career in the financial audit department which helps me explain to companies why a SOC 1/SSAE 16 report would be applicable or not to the company.  In performing a financial audit, the auditor makes inquires of the company regarding their internal controls. Having an understanding of the internal control over financial reporting is a required component for the auditor to perform.  If a service has been outsourced to another company, the auditor is required to understand the internal controls. This is so that they can understand the internal controls and assess control risk accordingly. Continue reading “Why do my clients ask me for a SOC 1/SSAE 16 Report?”

Value of the SOC 2 for Service Organizations

If your service organization processes customer transactions that impact financial reporting, such as payroll or other financial reporting function, you are more than likely familiar with the SSAE 16 SOC 1 report and its predecessor the SAS 70. Your customer’s auditors request the SAS 70, now the SSAE 16, every year to fulfill your customer’s year-end financial statement audit requirements. You gladly undergo the annual SSAE 16 audit so you have the report ready for your customers each year. One SSAE16 audit is worth keeping an army of customer auditors from knocking on your door asking for the same evidence of internal controls. More than likely the SSAE 16 is also required to meet contractual obligations to your customers. So to reduce the number of audits you have to endure each year, to meeting contractual obligations and also to get an independent evaluation of your internal controls, you engaged a CPA firm to perform the SSAE 16 audit. Continue reading “Value of the SOC 2 for Service Organizations”

SAS 70 is gone??? Why can’t I get a SSAE 16?

In the past two weeks, we have been asked my multiple clients to explain to their customers that the SAS 70 audit standard was superseded as of June 15, 2011.  Our clients were faced with frustrated user organizations that were looking for their SAS 70 audit report.  We had to not only provide our literature and white papers outlining the audit standard has been superseded but provided information directly from the American Institute of CPAs (AICPA) to the same effect. It even got to the point where I told the user organization to call a national accounting firm in their city to confirm what we have said along with the AICPA.   This frustration from user organizations can be expected when the SAS 70 audit requirement lies in the hands of a contracting officer at the user organization.  The communication gap between the legal or vendor relations department and the accounting departments at an organization sometimes is wide and must be bridged.  When the exposure draft of SSAE 16 was released years ago, I recall preaching to clients that they should begin speaking with their customers regarding the change and update contracts with customers as well as vendors to reflect the eventual vanishing of SAS 70.  We continue to encourage clients as we move into September, which is typically “SSAE 16 busy season, “ that our clients should contact their customers and educate them regarding the change and utilize A-LIGN as a resource to provide additional literature where necessary to explain the new standard. Continue reading “SAS 70 is gone??? Why can’t I get a SSAE 16?”