SSAE 18 Reporting Services





Riskpro's SSAE 18 Readiness and Attestation Services

Riskpro's unique approach to SSAE engagement is sustained value addition to your business. Our readiness services enable you to remediate the control gaps in an efficient manner that not only help to get SSAE 18 reports signed, but also improve productivity and efficiency in the business. That to us is a greater value. Regular certifications and engagement means that your business processes are constantly being evolved and updated thereby bringing in intrinsic business value.

Riskpro’s own range of complimentary services, best practices, resources and networking ensure to deliver the best services cost effectively in preparing, auditing and maintaining the system ‘always ready’ for attestation, compliance, and benchmarking.


Need for SSAE 18 Reporting

  • The SSAE 18 audit report allows the service organization to provide its customers with independent third-party verification about the state of the internal controls governing the integrity, reliability, effectiveness, and security of the processing services provided to user organizations.
  • The SSAE 18 Attestation Report can be used by user organization’s financial statement auditors as a substitute for those parties performing their own first-hand audit procedures.
  • Undergoing the SSAE 18 Attestation distinguishes the service organization from its competitors.
  • A SSAE 18 audit can improve or sustain business relations between service providers and user organizations. It may be also viable to pass the costs of fees paid for the SSAE 18 Attestation to the user organization.

    Upgradation from old standard(SAS 70) to new SSAE 18 Standard. Use of SSAE 18 Audit Reports.

  • More confidence in the Services by the customers.
  • Allows the service organization to meet contractual obligations.
  • Provide additional comfort on risk, systems and controls to clients and business partners.
  • Provide assurance on the Internal Controls and meeting objectives in case of adverse situations.

What makes us different

  • We have an inhouse CPA who can sign off on the SSAE 18 reports.
  • We have a team of internal control experts who are currently working on a number of SSAE 18 engagements.
  • As a firm, we are all about risk and controls.

Contact for More Information

Alternatively, for more information, please email manoj.jain@riskpro.in


Indepth explanation of SSAE 18

What do the following three terms have in common?
• SSAE 18
• SAS 70
• SOC 1, SOC2 and SOC3 Reports

The simple answer is that all these terms are inter linked in some way and are assurances over outsourced operations. In other words a SAS 70 report, a SSAE16 auditor report etc give assurance to the user of the audit report that the internal controls at the service provider are effective if the report is unqualified.

With increased globalization, outsourcing seems to be the business mantra. Companies outsource systems, business processes and data processing. All outsourcing is done with an assumption that the operational risk at the service provider will be effectively managed and that the service provider is able to build a robust internal control framework.

In doing so, user organisation (the company that outsources the activities) needs to gain comfort that the data, processes, inputs and outputs at the service provider location are effectively handled and does not expose user organisation to any reputation or other risks.

Till recently, this was done using SAS 70 reports [Statement on Auditing Standards 70]. This gave organisation a broad comfort over the controls at service provider.

However, the biggest weakness of SAS 70 reporting was its main focus was on risks relating to internal control over financial reporting. But what about risks such as give below.

1. Systems are not available at service provide to process information
2. Data confidentially of client/customer information
3. What type of security is available so that information assets are protected.

Do service providers have adequate controls and policies in place to address controls that are beyond Financial reporting related controls ie operational controls.

This main gap resulted in SAS 70 been replaced by another set of reports called SOC reports.

SOC Reports and their meaning
Let's turn to what SOC means and what are these reports.

Need for a CPA review/audit
As per AICPA website, "A CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers."

For this purpose and to address varying requirement of the engagement, AICPA has introduced SERIVICE ORGANISATION CONTROL (SOC)Reports. 
There are three types of SOC reports and you guessed it right. SOC1,SOC2 and SOC3 given below.

SOC1

SOC2

SOC3

Financial Controls focus

Operational Controls focus

Control review focus is those affecting financial statements

Controls that may affect Security, availability, processing integrity confidentiality, or privacy

Controls that may affect Security, availability, processing integrity confidentiality, or privacy

SOC 1 is the famous SSAE 18 reports because they fall under the Statements on Standards for Attestation Engagements 16.

They fall under the AT 101 Attestation engagement

They fall under the AT 101 Attestation engagement

Description of service organization’s system.

Description of service organization’s system.

CPA’s opinion on whether the entity maintained effective controls over its system. 

Type 1 Report - A point in time description of the controls in place. (Design effectiveness)

Type 2 Report - Review of controls over a period of time, usually 12 months and also tests the operating effectiveness of the controls (Operating effectiveness

Type 1 Report - A point in time description of the controls in place. (Design effectiveness)

Type 2 Report - Review of controls over a period of time, usually 12 months and also tests the operating effectiveness of the controls (Operating effectiveness

SOC 3 reporting is for a larger audience and gives a user greater comfort on the level of controls relating to the Trust Services Principles 

From the table above, we see that SSAE 18 has two types of reports.

1. A Type 1 report is one in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the design effectiveness of the controls. It is merely saying that the organisation has built in controls to manage and process information in manner that will ensure that the user organization does not have material misstatement of its financial statements.

An example can make it clear.
Let us suppose the service provider is processing Accounts Payable invoices. Then an excel error at the outsourced service provider may result in the provider understating liability (AP balances) because the updated excel sheet was not used for reporting to User organisation and 100 invoices that were received, recorded but wrongly summarized and reported.

So, the management description of controls will be that every reporting is reviewed by Supervisor and Unit Head before releasing it to user organisation. Hence, in Type 1, the CPA merely states that this control is good enough or not in term of design.

2. A type 2 report is one in which in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system, opinion on the design effectiveness of the controls AND on the operating effectiveness of these controls. So, type 3 report can only be issued once the controls have been tested for their operating effectiveness.

Taking the same example given above, merely saying that I am going to review reports before submitting to user organisation does not mean that it is actually reviewed. This is where operating effectiveness of controls comes into picture. Through testing of controls, service auditor gives an assurance that there are adequate controls and also these controls are operating effectively. Almost like Sox 404 review of the service provider.

SOC 2 Reporting

The purpose of the SOC 2 report is to provide an assurance or an opinion on the level of trust and assurance that user auditor and user organisation can derive from the system that the service organization has deployed that effectively mitigate operational and compliance risks.

SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are:

• Security: The system is protected against unauthorized access (both physical and logical).

• Availability: The system is available for operation and use as committed or agreed.
for reducing assessment of control risk below maximum

• Processing integrity: System processing is complete, accurate, timely, and authorized.

• Confidentiality: Information designated as confidential is protected as committed or agreed.

• Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP)

An example of service provider requiring a SOC 2 reporting would be a provider providing medical transcription services. In this case, the financial reporting controls are not really so much of a concern, because little or no financial data is involved. Rather, the data confidentiality is a big concern and hence user auditor would be concerned about these compliance issues.

More Information

To learn more about SSAE 18, SOC 1, SOC 2 reporting, please contact manoj.jain@riskpro.in or call at 98337 67114.

Other Services of Interest

  • Legal Compliance software - Partnership Announcement

    Riskpro is pleased to announce that we have partnered with LexComply to offer legal compliance software solutions to our clients. To learn more about legal compliance software that we have to offer...
  • Information Security Policies - Full Set

    Riskpro has put together a complete documentation toolkit for ISMS /ISO 27001 framework. To purchase this work template based toolkit, please send an email to info@riskpro.in.
  • SSAE 18 - SOC Audit and Attestation Services

    Riskpro's unique approach to SSAE engagement is sustained value addition to your business. Our readiness services enable you to remediate the control gaps in an efficient manner that not only help to...
  • SSAE 18 - SOC Audit and Attestation Services

    Riskpro has been providing SSAE 16/ now SSAE 18 and other information security services for over two years. Here are some of the major benefits our clients are experiencing. Benefits of SOC Audit...
  • Cybersecurity Checklist - NIST Framework

    Riskpro has developed a cybersecurity checklist based framework to perform a self assessment of cyber risk preparedness. Please email info@riskpro.in to obtain more information on this.
  • Risk Management for Corporates

    Banks are often seen in the forefront of any risk management discussion and it is often perceived that Risk Management is synonymous with Banking. But this is not entirely true. It is true that Banks...
  • Go to top