What You Need to Know About SSAE 18
The AICPA issued an updated Statement on Standards for Attestation Engagements in April 2016. This statement known as SSAE 18 supersedes SSAE 10-17 and is effective for practitioners’ reports dated on or after May 1, 2017. Vendor management is a key component where subservice or fourth-party vendors are concerned.
We have developed several resources that you’ll find informative if you’re researching how SSAE 18 will impact your financial institution. See the list below and if you would like help with your due diligence efforts, request a demo of Nvendor to see how we can streamline your vendor management with guaranteed accuracy.
Frequently Asked Questions
Q: As a client, I prefer that my vendors provide me with SOC 2 reports since those reports are more comprehensive and generally cover controls related to the specific areas of risk I am most concerned with. Will this change?
A: No. The change is in the SSAE 16 standard to the SSAE 18 standard. The scope of controls (aka SOC) will not change as a result of the new SSAE 18 standard.
Q: Do I as a client need to be doing anything differently?
A: No. Ncontracts will seamlessly continue to provide the Operations Reviews for the new SSAE 18 standard.
Q: When do we expect to see the first SSAE 18?
A: Mid to late 2017
Q: Will the SSAE 18 replace the SSAE 16?
A: Yes, it is my understanding that that is indeed the case.
Q: How are international service org handled?
A: International organizations may use an alternative international standard for their audits, ISAE 3402. This is different from the US audit standards in a number of ways. The enclosed link to an audit firm post about the nine differences provides all the details: http://www.a-lign.com/isae-3402-ssae-16/. The additional major differences with the SSAE 18 are that the servicer has a vendor management program, risk assessments on the vendors of the service provider, documentation of the subservice controls, and a written assertion that all the material sub-servicers have been disclosed.
Q: You mentioned that just because [vendors] give you an SSAE 18 doesn’t mean they are compliant… please list the areas we need to look within the SSAE 18 to make sure it’s a complete SSAE 18.
A: There is no simple checklist when it comes to determining whether the SSAE 18 is adequate or compliant. The SSAE 18 is an audit standard, but the adequacy of the audit is dependent upon the scope of the review, the testing results, and ability of the service organization receiving the audit to meet the needs of the credit union with their internal controls in place. The reviews that Ncontracts provides can greatly assist your credit union in this evaluation.
Q: If our vendor refused to comply with 4th party disclosure would that qualify as a breach of contract?
A: It depends on the terms of the agreement. The agreement would need to have specific language requiring the disclosure of fourth parties before a credit union could claim a breach for failure to disclose.
Q: Will the SSAE 18 requirements be a part of the vendor annual due diligence that you perform for customers? How will the executive reviews be impacted?
A: Yes. The executive reviews will contain a section on vendor management that will highlight the four major parts that are new to the SSAE 18 including:
- List of the sub-servicers covered by the audit
- Vendor management program description – the quality of the service providers’ program
- Review of the results of the risk assessments completed on the vendors
- Any issues with complementary controls utilized by the vendor to assure that the sub-servicer controls are effective
Q: Will the Written Assertion page be like a signature page in the report that’s included in the final report?
A: While no SSAE 18 reports have been published, we do anticipate that the written assertion will either be a statement signed by the authorized representative of the service provider or a statement by the auditor that they have received a signed statement from the authorized representative of the service provider.
Q: How will the NDAs be handled? What if our vendor’s vendor does not want their information to be shared in our vendor report?
A: Non-disclosure agreements may create problems for the vendor undergoing the review pursuant to the new SSAE 18 standard. Some NDAs allow for sharing information as long as the data being shared is also protected by a similar contractual provision to hold the data confidential. Otherwise, the vendor will have to obtain permission from their vendors (4th parties) to share the data for the audit.
Q: When do you expect examiners to being examining for SSAE 18 reviews?
A: To date, there is no published guidance from examiners regarding the SSAE 18s. The examiners will expect the latest report, and we anticipate that vendors will start to supply these beginning in September/October of 2017.
Q: Do you have a sample risk assessment document that we may use to determine critical vendors vs vendors?
A: Yes, we have a customizable questionnaire built into the application to assist in classifying critical vendors.
An organization’s third (and fourth, and fifth, etc) party vendors, which are otherwise known as “Subservice Organizations,” must have clearly defined responsibilities for each party, documented performance reviews that include regular audits and finding reviews.
Part of the reporting controls for each subservice organization should include details on their established risk management programs, including explanations outlining the effectiveness of its controls and processes for remediation.
Complementary Subservice Organization Controls:
Organizations must ensure that user control considerations are documented and tested. Additionally, any subservice organizations the current vendor utilizes to support their own operations, must maintain the same standard of practice regarding user controls.
Written Assertion Requirements:
Management will be expected to provide an additional layer of assurance in the form of written documentation that attests to the true and complete scope of the system descriptions making sure that the applicable vendors are identified in the scope of the audit.