Statement Of Standards For Attestation Engagements (SSAE) 18

SSAE 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). SSAE18 is an attestation standard geared towards addressing engagements conducted by ‘Service Auditors’ (or) ‘Practitioners’ on service organizations for purposes of reporting on the design of controls and their operating effectiveness.

Virtual Cybersecurity Team (VCT)

Download Center

Cybersecurity starts from proper awareness. Briskinfosec BINT LAB cybersecurity researchers continuously put extraordinary effort to help you to realise cybersecurity better and faster. Just download the Threatsploit Adversary report.

Threatsploit report

Your window into the evolving threat landscape, offering insights and intelligence to protect against emerging cyber dangers.

Benefits

What is SOC 1 and SOC 2 Reports?

SOC 1 Reports: Reporting on controls relevant to internal controls over financial reporting (ICFR) and reporting is conducted in accordance with Statement on Standards for Attestation Engagements - SSAE as per the standards of SSAE 18 audit guide.

SOC 2 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reporting are conducted in accordance with AT Section 101 and will utilize an audit guide titled Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy

What is Type 1 & Type 2 Report?

Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as a SOC 1 SSAE 18 Type 1 report.

Type 2 report, it is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls", or simply known as a SOC 1 SSAE 18 Type 2 report.

Approach to SOC & How it Works?

Assessment about Readiness

01

Once the scope is determined, a service organization like Briskinfosec may decide to assess the gap and existing controls in place and to determine if they satisfy management’s control objectives are in place.

Whether they meet the control objectives and all are in order

In case if controls are not adequate a remediation effort will be designed / developed to take counter measures and to fix the gaps.

CCPA Penalties and how to avoid them

02

As with any compliance enforcement, violating the CCPA comes with a price tag. Under Section 17206 of the California Business and Professions Code penalties are $2,500 for an unintentional violation, and $7,500 for intentional violations.

The new privacy law will allow individuals to recover between $100 and $750 per incident—or greater if there’s solid evidence that damages exceed $750.

img

Remediation Services of control gaps

03

Following sequence of steps occur during the remediation phase:

Remediation services would be provided and efforts are tracked and adequacy of controls established in order to close and to fix the gaps.

Service provider will draft a system description that identifies processes and controls that deliver the services within the scope of the engagement. This description is the basis of the auditor’s opinion and will be included in the final report.

Authentication - Accuracy about the Controls

04

Following sequence of steps occur during the remediation phaseAfter remediation services performed and identified control gaps including the control description.

The successful result of these procedures is the issuance of a Type 1 SOC report with Service Auditors Opinion as of a specific date.

Benefits of A SOC Report

It’s a kind of belief and trust from your valuable Customers; who have received services from your organization, for the internal controls maintained and implemented. Because of the changes from SSAE 16 to SSAE 18, your service organization can benefit in the following ways:

Provide a broad-based Centric Approach, enhanced reporting of your control system.

What is Type 1 & Type 2 Report?

Full Assurance for your customers on the internal control Audits affecting their financial reporting are timely and accurate in order to stay in compliance with company policies and government regulations.

SSAE 18 engagements identify key areas for improvement that can ultimately help to reduce risk, decrease the frequency of irregularities, and minimize chances of fraud.

What Does CPA Reporting Mean - For SSAE18 physical security compliance?

When an independent CPA reports about your high compliance to SSAE, you’d be able to assure your clients that you have high level of security that would not be compromised.This is because means that you have set the right hierarchical responsibility for access to your premises and most importantly that you work with partners that don’t take data security lightly.

CCPA

How Is SSAE 18 Different From SSAE 16?

01

While the SSAE 16 was specific to SOC 1 audits, SSAE 18 is an umbrella standard that applies to most types of attestation engagements, clarifying and formalizing requirements to enhance their reporting potential.

SSAE 18 features significant changes in the following areas:

Vendor management

Risk assessment

Complementary subservice organization controls

Data validation

img
02

What is SSAE 18 Compliance in Access Control?

The SSAE 18 guidance primarily clarifies existing auditing standards. It is also intended to reduce instances of duplication within similar standards that cover Examinations, Reviews and Agreed Procedure engagements.

As of May 1, these engagements – specifically, SSAE nos. 10-17 – will fall under the SSAE 18

This is why SSAE 18 access control compliance for today’s service companies entails more than just physical requirements.

Recognitions and Partnerships

Celebrating our achievements and collaborations, shaping a future of excellence.

Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images
Awards-images

Additional details

Get more answers to your questions in our Learning Services FAQ

  • The major change from SSAE 16 to SSAE 18 relates to the monitoring of subservice organizations. A subservice organization is a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal controls over financial reporting. SSAE 18 requires controls to be implemented that monitor the effectiveness of controls at the subservice organization.

  • Based on our experience, the SOC 2 is increasingly valuable in business to business compliance and assurance. It continues to expand in usefulness as a tool to meet other requirement standards (i.e. GDPR, HIPAA & PCI) that require detailed oversight of third-party vendors. This clearly indicates that they are expanding their business and controls and better protecting their responsibilities to their valuable clients.

  • We are examining thru R & D that the SOC for security is more useful for large MNC Companies including MSME that need a measurement of their own cyber security posture. CISO needs to quantify risk over time for board members who want to know if cyber security risks are being adequately mitigated. It is a great way to measure whether very specific controls have provided ROI.

  • Both the healthcare organization and individual staff members who accesses PHI are responsible. The organization is responsible to put all necessary safeguards in place for HIPAA compliance. Every individual (office manager, doctor, etc.) is held responsible for health information they should, can, or do access. Individuals and companies can independently face criminal charges for mishandling PHI.

  • A service auditor may be engaged to report on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls relevant to one or more of the trust services principles
  • In SSAE 18 - SOC 2 and SOC 3 engagements, the service auditor uses the criteria mainly Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids), for evaluating and reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy.
  • Accordingly, in every SOC 2 and SOC 3 engagement that addresses the same principle(s), the criteria will be the same (the applicable trust services criteria).

  • The most important requirement of SOC 2 is that businesses need to develop security policies and procedures that are written out and followed by everyone. These policies and procedures serve as guides for auditors who will review them. Policies and procedures should cover security, availability, processing integrity, confidentiality and privacy of data stored in the cloud.

  • The most important things to monitor include any unauthorized, unusual or suspicious activity to a specific client. This type of monitoring usually focuses on the level of system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access. The best means of monitoring is through a continuous security monitoring service.

  • Alerts set up to detect unauthorized access to customer information and customer data, or any other anomalous behaviour related to a client’s data, are crucial in assisting busy IT leaders in meeting SOC 2 requirements.

  • A SOC 2 scoping and readiness assessment helps service organizations better determine the necessary scope of a specific audit. This important exercise helps IT teams understand which important elements of the control environment require attention and remediation before performing the official audit.

  • SOC 2 requirements are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information.

  • Most SOC 2 reports cover for one year period, but there are times when service organizations perform this audit every three / six months, depending on the client’s preference and any ongoing concerns in the operational control environment.

Speak to an Expert

Expert guidance, tailored solutions- your direct path to insightful, precise answers.

Book an Appointment