Things you need to know.

1. SSAE No. 18 Statement on Standards for Attestation Engagements replaces SSAE No. 16

2. SSAE No. 18 also replaces SSAEs No. 10 through 17

• It reduced over a thousand pages of voluminous guidance down to 288.

• It provides clarity and consistency to an inherently complicated area … the SSAE No. 18 effort was named the Attest Clarity Project

1. SSAE No. 18 applies to all Attest Engagements, not just Service Organization Attestations, as the SSAE No. 16 specifically did.

• Examinations

• Since Service Organization Controls (SOC) reports are classified as “examinations,” the attestation standards apply to these engagements.

• Reviews

• Agrees Upon Procedures

1. SSAE No. 18 applies to all reports dated May 1, 2017 and after.

2. SSAE No. 18 adds these new requirements to the Service Organization’s responsibilities:

• The way you refer to your SOC report

• The SSAE-16 SOC1 report will now just be referred to as just a SOC1 report

• More robust third party vendor management requirements

• Additional risk assessment requirements

• More guidance around complimentary subservice organization controls

• Slight modifications to references in your SOC Report

#SSAE18 #SOC2 #SSAE16