SSAE-18 – An Update to SSAE 16 (Coming 2017)

SSAE-18 is on the horizon and there are a few key changes from the current SSAE-16 that will help to clarify and formalize requirements for performing and reporting on the examination, review, and agreed-upon procedures engagements to expand the potential of what an SSAE-16 can report on.

What do I need to know as a Service Organization? 

When is SSAE-18 effective?
For reports dated on or after May 1, 2017.

What can SSAE-18 report on?
In addition to processes related to financial statements,  now, an entity’s compliance with certain laws or regulations, contractual arrangements, or another set of defined agreed-upon procedures – just about any outsourced service where 3rd party validation would be beneficial and add assurance.

What about Companies with a current SSAE 16?
If you never performed a risk assessment in the past, you have will most likely need to think about implementing one.

  • Risk assessments are a common requirement in SOC 2, but, not so much in SOC 1. Now, in SSAE 18 there is an increased focus on the performance of a risk assessment at least annually.
  • A risk assessment should have a defined linkage between the potential risks of material misstatement and the controls in place to respond to the assessed risks, and remediation plans to mitigate any identified high-risk issues.

What do I do next?

This shouldn’t bring about any panic for those currently with an audit and a service provider. This should actually open the door for more service offerings and a higher level of assurance all around between Company’s and those they outsource services to.

Click here to contact an SSAE-18 audit provider to learn more about how these changes can help your business.

Get Our Emails

SOC Reporting Guide

Popular Resources