Statement on Standards for Attestation Engagements no. 18 (SSAE No. 18 or SSAE 18) is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality (accuracy, completeness, fairness) of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, [1] review, [2] and agreed-upon procedures. [3] It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. [4] Published April 2016, [5] SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017. [6]
SAS 70: In April 1992, the AICPA published Reports on the processing of transactions by service organizations; Statement on auditing standards, 070, which provides guidance when auditing the financial statements of an entity that uses a service organization to process transactions that affect financial reporting. [7]
COSO Internal control: integrated framework: In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a report titled Internal control: integrated framework, which provided a definition of internal control and a framework for evaluating and improving internal control over systems. [8]
SAS 78: In December 1995, the AICPA published Consideration of internal control structure in a financial statement audit : an amendment to SAS no. 55; Statement on Auditing Standards, 078, which superseded SAS 55, to reflect the definition of internal control provided in COSO Internal Control-Integrated Framework. [9]
ISAE 3402: In December 2009, the International Auditing and Assurance Standards Board (IAASB) published a new International Standard for Assurance Engagements, ISAE 3402, titled Assurance Reports on Controls at a Service Organization, [10] [11] also known as Internal Control Framework over Financial Reporting (ICFR). It focuses on "assurance engagements when reporting on controls at a service organization that are likely to impact or be a part of the user organization's system of internal control over financial reporting". It specifies ISAE 3000 as being applicable. ISAE 3402 was adopted by the International Federation of Accountants (IFAC). [12]
SSAE 16: In April 2010, the AICPA published Statement on Standards for Attestation Engagements no. 16 (SSAE 16), titled Reporting on Controls at a Service Organization, which superseded SAS 70 and was included in Professional Standards as section AT 801 [13] The changes in this update brought the standard closer to the reporting structure required by the Sarbanes Oxley Act and the standards supported by the International Federation of Accountants (IFAC). [14]
SOC: in 2011, in conjunction with the release of SSAE 16, the AICPA replaced the service auditor’s examination report prescribed by SAS 70 with the System and Organization Controls (SOC) suite of reports. [11] [15] [16]
Trust Services Criteria: In 2014, the AICPA Assurance Services Executive Committee (ASEC) published new guidance, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, referred to simply as control criteria. The new control criteria were aligned with the 17 principles of COSO Internal Control—Integrated Framework. It included criteria to supplement COSO principle 12 by addressing controls for logical and physical access, system operations, change management, and risk mitigation. [17]
SSAE 18: In April 2016, the AICPA published Statement on Standards for Attestation Engagements 18; Attestation Standards: Clarification and Recodification in response to "concerns over the clarity, length, and complexity of its standards", [5] with most sections becoming effective on May 1, 2017. [18] SSAE No. 18 supersedes and integrates most prior SSAE releases into a single clarified standard. [6]
SSAE No. 18 clarified and revised all prior SSAEs except for SSAE No. 10 chapter 7, which was placed in AT-C section 395 in unclarified form, and SSAE No. 15, which was replaced by Statement on Auditing Standards No. 130 and moved to AU-C section 940. The AT section numbers for the superseded SSAEs were recodified in the Professional Standards as section "AT-C" to avoid confusion with the older standards codified as section "AT". [6]
SSAE No. 18 requires the consideration of Complementary Subservice Organization Controls, which are the controls for portions of the service organization’s systems that are outsourced to other service organizations. [19]
There have been some notable developments in information assurance audit standards since the initial release of SSAE no. 18 that affect reporting under this standard.
Cybersecurity Risk Management Reporting Framework: In 2017 the AICPA Assurance Services Executive Committee’s (ASEC) published new and revised materials that together form a cybersecurity risk management reporting framework. The framework is intended to assist organizations in their description of cybersecurity risk management activities. It is also intended to assist CPAs in performing examination engagements, known as SOC for Cybersecurity examination. The three resources that form the framework are: [20] [21] [22]
Trust Services Criteria (TSC): In 2017, as part of the Cybersecurity Risk Management Reporting Framework, the AICPA Assurance Services Executive Committee (ASEC) released updates to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, referred to as control criteria by the ‘’Cybersecurity Risk Management Reporting Framework’’. SOC 2 or SOC 3 reports with an examination period ending on or after 15 December 2018 must comply with the revised control criteria. [17] [24] [25]
SOC: As of 2018, the AICPA continues to update and expand its System and Organization Controls (SOC) reporting guidance. This includes new material such as SOC for Service Organizations [26] and SOC for Cybersecurity Reporting Framework. [27]
The sections of SSAE no. 18 are represented under section AT-C of the AICPA Professional Standards. The outline of the sections is as follows: [5]
AT-C section 105, effective May 1, 2017, defines requirements for all types of attestation engagements. It describes an attestation engagement as being one of three service levels, which are defined in sections 205, 210, and 215. It also identifies the three overall objectives of an attestation engagement [18] [5]
AT-C section 205, effective May 1, 2017, principally defines the requirements and contents of an examination engagement, one of the three service level of an attestation engagement. [1] [5]
AT-C section 210, effective May 1, 2017, principally defines the requirements and contents of a review engagement, one of the three service level of an attestation engagement. [2] [5]
AT-C section 215, effective May 1, 2017, principally defines the requirements and contents of an agreed-upon procedures engagement, one of the three service level of an attestation engagement. [3] [5]
AT-C section 305, effective May 1, 2017, sourced from SSAE No. 18, contains requirements and guidance for examining or performing agreed-upon procedures on prospective financial information. [28] [5]
AT-C section 310, effective May 1, 2017, sourced from SSAE No. 18, contains requirements and guidance for examining or reviewing pro forma financial information. [29] [5]
AT-C section 315, effective May 1, 2017, sourced from SSAE No. 18, contains requirements and guidance for performing the following types of engagements:
AT-C section 320, sourced from SSAE No. 18, effective on May 1, 2017, contains requirements and guidance for examining controls at service organizations that provide services to user entities where those controls are relevant to the user entities’ internal control over financial reporting. It may also be applied to reporting on internal controls other than financial reporting. [4] [5]
AT-C section 395, sourced from SSAE no. 18, effective on June 1, 2001, contains requirements and guidance for attestation engagements regarding management's discussion and analysis (MD&A), such as those presented in annual reports to shareholders. [31]
SSAE 18 identifies two primary roles during the formation of an attestation engagement: [18]
SSAE 18 refers to two roles that are the main actors during an attestation engagement: [18]
SSAE 18 identifies two subordinate roles that may be engaged by the practitioner: [18]
SSAE 18 also identifies other relevant roles not directly engaged in the audit: [18]
Sections 205, 210, and 215 are intended to define the three service levels for any attestation engagement, though other applicable sections may specify additional requirements for the engagement:
Sections 205, 210, and 215 also prescribe or prohibit certain attestation engagement service levels depending on the subject matter.
SSAE 18 section 320, titled "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting", defines two types of report formats, type 1 and type 2, that vary in their content, which further differentiates the level of service to be performed in an attestation engagement for this subject matter: [4] [32]
SSAE 18 states that it may be applicable to any subject matter, though the nature of the subject matter is a key factor in determining which sections of the standard are applicable and which attestation engagement service level the practitioner may perform. All attestation engagements are predicated on the concept that the practitioner reports an opinion about a statement, description, or assertion made by the responsible party about a subject matter.
Accounting, also known as accountancy, is the processing of information about economic entities, such as businesses and corporations. Accounting measures the results of an organization's economic activities and conveys this information to a variety of stakeholders, including investors, creditors, management, and regulators. Practitioners of accounting are known as accountants. The terms "accounting" and "financial reporting" are often used as synonyms.
The American Institute of Certified Public Accountants (AICPA) is the national professional organization of Certified Public Accountants (CPAs) in the United States, with more than 428,000 members in 130 countries. Founded in 1887 as the American Association of Public Accountants (AAPA), the organization sets ethical standards and U.S. auditing standards. It also develops and grades the Uniform CPA Examination. The AICPA maintains offices in New York City; Washington, DC; Durham, NC; and Ewing, NJ.
Certified Public Accountant (CPA) is the title of qualified accountants in numerous countries in the English-speaking world. It is generally equivalent to the title of chartered accountant in other English-speaking countries. In the United States, the CPA is a license to provide accounting services to the public. It is awarded by each of the 50 states for practice in that state. Additionally, all states except Hawaii have passed mobility laws to allow CPAs from other states to practice in their state. State licensing requirements vary, but the minimum standard requirements include passing the Uniform Certified Public Accountant Examination, 150 semester units of college education, and one year of accounting-related experience.
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, and evaluate the propositions in their auditing report.
A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.
Assurance service is an independent professional service, typically provided by Chartered or Certified Public Accountants or Chartered Certified Accountants, with the goal of improving information or the context of information so that decision makers can make more informed, and presumably better, decisions. Assurance services provide independent and professional opinions that reduce information risk.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.
Generally Accepted Auditing Standards, or GAAS are sets of standards against which the quality of audits are performed and may be judged. Several organizations have developed such sets of principles, which vary by territory. In the United States, the standards are promulgated by the Auditing Standards Board, a division of the American Institute of Certified Public Accountants (AICPA).
In the United States, Statements on Auditing Standards provide guidance to external auditors on generally accepted auditing standards in regards to auditing a non-public company and issuing a report. They are promulgated by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), which holds all copyright on the Standards. They are commonly abbreviated as "SAS" followed by their respective number and title.
The Uniform Certified Public Accountant Examination is the examination administered to people who wish to become U.S. Certified Public Accountants. The CPA Exam is used by the regulatory bodies of all fifty states plus the District of Columbia, Guam, Puerto Rico, the U.S. Virgin Islands and the Northern Mariana Islands.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public accountants (CPAs) for non-public company audits. Created in October 1978, it is composed of 19 members representing various industries and sectors, including public accountants and private, educational, and governmental entities. It issues pronouncements in the form of statements, interpretations, and guidelines, which all CPAs must adhere to when performing audits and attestations.
Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.
Regulation S-X is a prescribed regulation in the United States of America that lays out the specific form and content of financial reports, specifically the financial statements of public companies. It is cited as 17 C.F.R. Part 210; the name of the part is "Form and Content of and Requirements for Financial Statements, Securities Act of 1933, Securities Exchange Act of 1934, Public Utility Holding Company Act of 1935, Investment Company Act of 1940, Investment Advisers Act of 1940, and Energy Policy and Conservation Act of 1975".
Generally Accepted Privacy Principles (GAPP) is a framework intended to assist Chartered Accountants and Certified Public Accountants in creating an effective privacy program for managing and preventing privacy risks. The framework was developed through joint consultation between the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. It is a component of SOC 2.
International Standard on Assurance Engagements 3402, titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls. ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC) in 2009. It supersedes SAS 70. and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.
Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18.
System and Organization Controls (SOC), as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria. The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017. These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework. In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.