The Importance of SSAE 18, SOC 1 and 2
What is the background to SSAE and SOC 1 and 2?
Since the early 70s, Certified Public Accountants (CPAs) have been required to consider the effects of information technology on financial statements during an audit of those statements. This requirement led to the development of the Statement on Auditing Standards no. 70 (SAS 70), a widely recognized auditing standard designed to demonstrate that a service organization had been through an in-depth examination of their control objectives and control activities (which often included controls over information technology and related processes). In 2011, SAS 70 was superseded by the Statement on Standards for Attestation Engagements (SSAE) No. 16, along with System and Organization Control (SOC) reporting. In 2017, SSAE 16 was superseded by SSAE 18.
What is SSAE?
Statements on Standards for Attestation Engagements (SSAE) are administered by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). They essentially set out certain auditing standards which are used by auditors to guide the discovery of controls, including security controls, in all types of organizations, such as data centers and cloud service providers. The use of these kinds of standards can help both organizations and auditors to demonstrate information security compliance with regulations such as Sarbanes-Oxley.
Although SSAE is largely an American standard, it is based on the International Auditing and Assurance Standards Board's (IAASB) International Standard on Assurance Engagements (ISAE) 3402, so it’s useful internationally.
What is SOC?
System and Organization Control (formerly Service Organization Control) (SOC) reports comprise the reporting part of SSAE, and they are described by the ASB of AICPA as, "internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service." There are two main types of SOC:
- SOC 1 - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
- SOC 2 - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
The Trust Services Criteria (TSC) under which SOC 2 is measured consists of:
- Security - Information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems, and affect the entity’s ability to meet its objectives.
- Availability - Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity - System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality - Information designated as confidential is protected to meet the entity’s objectives.
- Privacy - Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives
Please Note: There is also a SOC 3 report which essentially provides a summary of the systems audited and the results of the assessment under SOC 2, and can be freely distributed.
What is the difference between SSAE 16 and SSAE 18?
SSAE 18 clarifies and brings together many of the existing auditing standards, replacing SSAE 10 through 17 and requiring service auditors to enhance their risk assessment procedures around the reported subject matter.
A key change, to the SSAE 10 through 17 standards requires the inclusion of defined Complementary Subservice Organization Controls, which basically means that service organizations must address their own third-party vendor management obligations. In effect, this means implementing controls to monitor the effectiveness of relevant controls at the sub-service organization and reporting on the monitoring. This may entail holding regular periodic discussions with the sub-service organization, running tests and even making site visits.
Which service providers should meet SSAE 18 standards?
In order to deliver superior service to clients, cloud computing providers such as Navisite should ensure they review all their processes on a regular basis and make any changes or updates in order to meet and surpass leading industry standards, of which SSAE 18 is just one example.
All companies which work with customer data – particularly any sensitive data – should check that their cloud provider can demonstrate both compliance with regulations and also meets non-regulatory standards such as SSAE 18.
What does this mean for clients?
Clients of managed cloud service providers (MCSPs) like Navisite often seek evidence that their provider is following best practice, not only for their own peace of mind, but also to ensure that they meet their own auditing requirements - or equally to provide reassurance to their own clients. This is one of the key benefits of SSAE 18; it establishes a foundation upon which trust can be built.
Here at Navisite, we regularly evaluate and audit our systems, services and personnel; maintaining certifications for security, compliance and cloud with over 1,400 certifications, so clients can rest assured that we are meeting the highest standards for processes, controls and procedures that ensure safety in their cloud environment. Meeting the SSAE 18 attestation is just one of our many efforts in championing industry standards and providing peace of mind for our clients.
To find out more about SSAE 18 or SOC 1 and 2, simply get in touch with your usual account manager at Navisite, or for prospective clients please see our general contact page.