The Fundamentals of Standards for Attestation Engagements


The Fundamentals of Standards for Attestation Engagements (SSAE) No. 18

Companies, institutions, and organizations that offer services to their customers that affect processes involving financial reporting are usually subjected to audits.

There are guidelines on how to execute these audits and how service organizations can present an independent audit report to their customers and to their customers’ auditors. The Statement on Auditing Standards, or SAS 70, was used as the guide for this reporting. However, it was replaced by the Standards for Attestation Engagements (SSAE) No. 18 by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in April 2010.

Before SSAE No. 18 was implemented, there were various Statements made in order for the Service Organizations Control Reports to have an acceptable audit approach.

Timeline of SSAE No. 18

In October 1958, the Statement on Auditing Procedure (SAP) No. 29 was issued after almost twenty years since the issuance of the first SAP. SAP No. 29 covered the review on internal control by independent auditors. It was then followed by three more SAPs. SAS No. 44 was issued in December 1974 and tackled the special purpose-reports on internal accounting control at service organizations. Years later, SAS No. 70 was issued. Then in 2010, SSAE No. 18 was adapted. It replaced the existing guideline (SAS 70) in executing an audit of a service organization’s processes and controls.

Why Change from SAS 70 to SSAE 18?

SAS 70 was issued to serve as an auditing framework for user entity auditors in planning and performing audits of their entities’ financial statements. However, according to the Information Systems Audit and Control Association, Inc., SAS 70 was being overused. It was adopted for reports on IT controls when in fact SAS 70 was for financial reporting only. More so, most companies did not understand what SAS 70 was and why it was needed. Also, there was a call for a more comprehensive understanding of Service Provider control programs.

What is SSAE No. 18?

SSAE 18 is now the new model that service organizations should follow in reporting controls. It took effect on reports whose periods ended on or after June 15, 2011. SSAE 18 is parallel to the International Guidance ISAE 3402 and will serve as the representation of universally established accounting principles.

According to Crowe Horwath LLP, a public accounting and consulting firm, SSAE 18 focuses on controls that are related to user entities’ internal control over financial reporting. However, SSAE 18 is only an attest standard. To comply with the needs of the user auditor, a different audit standard will be issued.

SSAE 18 has two types of reports: Type 1 and Type 2. A service editor can issue both reports, but the management is compelled to produce a written assertion. Other elements that make up an SSAE 18 report are the opinion of the service auditor, the description of the Service Organization’s system, the service auditor’s test of controls, and other supplemental information.

For the service auditor, he/she is obligated to disclose any reliance on the work of Internal Audit and other testing functions of the management on his/her report. It is limited to the management and user entities of the service organization and to the user auditors.

When a Service Organization undergoes an SSAE 18 audit, the information will help the organization increase its prospective client base, organizational productivity, customer retention, and accountability. Thus, there will be a return on investment.