The American Institute of Certified Public Accountants (AICPA) is the U.S. rule making body for the auditing industry and it sets standards for professional auditors which are typically large CPA and consulting firms. They created the SAS 70 standard which evolved into SSAE 16 and then into SSAE 18. SAS is an acronym for Statement on Auditing Standards and likewise SSAE stands for Statements on Standards for Attestation Engagements.
What is SAS 70?
SAS 70 provided metrics to reporting on controls and processes at service companies. However, it did not require attestation about the design and effectiveness of controls, which of course are important for organizations wanting to outsource critical business functions.
What is SSAE 16?
SSAE 16 did what SAS 70 did not do, which is to provide a set of standards and guidance for attestation reporting on organizational controls and processes of service companies. SSAE 16 held a service company's management accountable by requiring, in writing, that the company's systems, control objectives, and operational activities were accurately reflected in the audit report.
What is SSAE 18?
The rise of worldwide outsourcing of critical business functions influenced the AICPA to evolve their standards from SSAE 16 to SSAE 18. Some examples of the type of business that often need SSAE 18 audits are:
- Payroll or loan processing
- Data center/co-location
- Software as a Service (SaaS)
- Medical claims processors
SSAE 18 is the current auditing standard for service companies. It replaced SSAE 16 and updates and simplifies the auditing standards for reporting on organizational controls and processes. Companies must provide risk assessments to the auditors, which is a very significant change. The companies must also sign a "Management Assertion" letter accepting significant responsibility which was not required under SSAE 16. Under SSAE 16 they had to provide such a letter, but not have to sign it. The signed letter and the auditor's report now have different language that is more specific and detailed to provide more assurance to users of these reports. It also requires that companies to identify subservice organizations. Today, SOC 1, SCO 2 and SCO 3 audits use the standards of SSAE 18.