Inside the New SSAE 18: Vendor Management Changes

One of the most effective community bank and credit union vendor management tools is getting an overhaul this spring, and it’s going to change how financial institutions (FIs) monitor vendors and their internal controls.

Beginning May 1, 2017, the Statement on Standards for Attestation Engagements 18 (SSAE 18) will take precedence over all previous versions, including the SSAE 16. This newly expanded auditing standard includes brand new sections addressing:

• Vendor management
• Risk assessments
• Third-party controls
• Written attestation

Not only will banks have unprecedented insights into vendors’ compliance controls, but they’ll finally uncover the mysteries of fourth party risk.

A Quick SSAE 18 Primer

Published by the American Institute of Certified Public Accountants (AICPA), the SSAE 18 provides an objective assessment of a company’s internal operations. A properly conducted SSAE 18 audit provides assurances the right controls are in place to protect a financial institution’s data, maintain availability, protect privacy, and accurately process payments. It can show also reveal how exceptions are corrected—or aren’t corrected—to determine vendor reliability. This is essential in an environment where regulators expect FIs to be just as responsible for activities outsourced to a vendor as they are their own.

Reports take several forms called Service Organization Controls (SOC). SOC-1 and SOC-2 reports are proprietary, restricted use reports. SOC-1s focus on financials, while the SOC-2 is focused on compliance. Both are available as either Type 1 reports, which tests controls at a specific point in time, and Type 2 reports, which tests controls repeatedly over a period of time to reveal trends. SOC-3 reports come in just one type and are essentially advertorials for a company. SOC-2 Type 2 reports are most useful to FIs.

The scope of an SSAE 18 covers five main areas:

1. Security
2. Availability
3. Process Integrity
4. Compliance
5. Confidentiality

Understanding the New SSAE 18: 4 Key Differences

1. Vendor Management
   The SSAE 18 addresses vendor management for the first time, referring to third-party vendors as “subservice organizations.” While the SSAE 18 doesn’t follow banking guidance on the topic, the elements are similar:

• Scope. Similar to contract management, the SSAE 18 requires a vendor to define the scope and responsibilities of each third-party vendor it uses, the importance and specifics of each third-party vendor (including identifying critical vendors), and how reliable that third-party vendor is based on service level agreements (SLAs), terms of agreement, warranties and guarantees. This gives FIs a much deeper understanding of how these relationships work.
• Performance review. Vendors should measure the effectiveness of its third-party vendors. Examples include reviewing and reconciling output reports for accuracy, regular site visits, and periodic discussions and evaluations such as questionnaires. Each measure should be documented or it doesn’t count.
• Reviewing audits. A vendor should have a process for reviewing its third-party vendors’ audits and SSAE 18 reports and reporting the results to management. It’s especially important to see how the vendor deals with findings to ensure that its third-party vendors are reliable.
• Monitoring. A vendor should review customer complaints, regulatory agency reports and data related to third-party vendor financials, litigation, key personnel changes, etc. to monitor for material operational problems.

2. Risk Assessment
   Just like an FI, a vendor needs a risk assessment program to identify key risks, develop controls and mediate findings. It allows a vendor to recognize its most critical risks and properly allocate resources. The SSAE 18 expands this area far beyond the SSAE 16, giving FIs much greater assurance that a vendor is in a strong position to deliver services and products as promised.

3. Third-Party Vendor Controls
   The SSAE 16 has user control considerations (UCC) listing all a vendor’s controls. The SSAE 18 expands the UCC so that vendors must request the controls of its third-party vendors. These should be listed, tested and include no exceptions.

4. Written Attestation
   The SSAE 18 requires vendors to supply written attestation from management that system descriptions are true and complete. This provides additional assurance by creating liability and pressure for management.

What It Means to Your FI

The bottom line is that the SSAE 18 brings many benefits for FIs.

Ending the mystery of fourth party risk. Vendors rely on third parties just like FIs. But obtaining information about these critical “fourth parties,” from data centers to power providers, has proven a struggle for FIs. The SSAE 18 moves the onus of due diligence and monitoring of fourth-party critical vendors onto the FI’s vendor. This is a huge improvement over the current situation where an FI is technically responsible for ensuring its critical vendor’s critical vendors (and their critical vendors and so on) are reliable and compliant, yet has no direct contractual agreement with these providers forcing them to provide information. While the SSAE 18 doesn’t eliminate an FIs responsibility for ensuring critical fourth party vendors are effective, it does make the job of investigating them much easier.

Greater vendor operation clarity. From business continuity plans to physical and cyber security, FIs will have a greater understanding of how a vendor provides its services.

Increased compliance visibility. An SSAE with the appropriate scope can cover issues like GLBA and other industry standards.

SSAE 18 Challenges

While the SSAE 18 is a gift for FIs, it comes with a cost. First, the report is expected to be much longer than the current 150-page SSAE 16. Not only does this mean it will cost vendors more to procure it (or they’ll decrease the scope of the audit to save cash), but it will also take FIs more time and resources to review the results and report back to management and the board. Core vendor SSAE 18s could theoretically be 300 pages long.

Analyzing those results will be a high priority. Just because a vendor has an SSAE 18 audit doesn’t mean the vendor is compliant. Only a thorough review of the report’s details will help a FI understand what is being tested and what the results mean. The title at the top of a page is no guarantee that everything that needs to be covered is.

FIs should have a plan in place for deciphering these lengthier and more robust reports, whether it’s internal expertise or outsourcing. There are huge benefits to be captured.

To learn more about the new changes to the SSAE 18, including how the information in the report could have prevented some of the biggest vendor failures of the decade, check out Ncontracts’ webinar How SSAE 18 Will Affect Vendor Management and other resources.

Related: Vendor Risk Countdown: Top 10 Risks Third-Party Vendors Pose to Your Financial Institution