MarketSSAE No. 18
Company Profile

SSAE No. 18

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

History and influences
Precedents and initial release SAS 70: In April 1992, the AICPA published Reports on the processing of transactions by service organizations; Statement on auditing standards, 070, which provides guidance when auditing the financial statements of an entity that uses a service organization to process transactions that affect financial reporting. COSO Internal control: integrated framework: In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a report titled Internal control: integrated framework, which provided a definition of internal control and a framework for evaluating and improving internal control over systems. SAS 78: In December 1995, the AICPA published Consideration of internal control structure in a financial statement audit : an amendment to SAS no. 55; Statement on Auditing Standards, 078, which superseded SAS 55, to reflect the definition of internal control provided in COSO Internal Control-Integrated Framework. ISAE 3402: In December 2009, the International Auditing and Assurance Standards Board (IAASB) published a new International Standard for Assurance Engagements, ISAE 3402, titled Assurance Reports on Controls at a Service Organization, also known as Internal Control Framework over Financial Reporting (ICFR). It focuses on "assurance engagements when reporting on controls at a service organization that are likely to impact or be a part of the user organization's system of internal control over financial reporting". It specifies ISAE 3000 as being applicable. ISAE 3402 was adopted by the International Federation of Accountants (IFAC). SSAE 16: In April 2010, the AICPA published Statement on Standards for Attestation Engagements no. 16 (SSAE 16), titled Reporting on Controls at a Service Organization, which superseded SAS 70 and was included in Professional Standards as section AT 801 The changes in this update brought the standard closer to the reporting structure required by the Sarbanes Oxley Act and the standards supported by the International Federation of Accountants (IFAC). SOC: in 2011, in conjunction with the release of SSAE 16, the AICPA replaced the service auditor’s examination report prescribed by SAS 70 with the System and Organization Controls (SOC) suite of reports. Trust Services Criteria: In 2014, the AICPA Assurance Services Executive Committee (ASEC) published new guidance, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, referred to simply as control criteria. The new control criteria were aligned with the 17 principles of COSO Internal Control—Integrated Framework. It included criteria to supplement COSO principle 12 by addressing controls for logical and physical access, system operations, change management, and risk mitigation. SSAE 18: In April 2016, the AICPA published Statement on Standards for Attestation Engagements 18; Attestation Standards: Clarification and Recodification in response to "concerns over the clarity, length, and complexity of its standards", with most sections becoming effective on May 1, 2017. Changes introduced by SSAE 18 Clarification and recodification SSAE No. 18 clarified and revised all prior SSAEs except for SSAE No. 10 chapter 7, which was placed in AT-C section 395 in unclarified form, and SSAE No. 15, which was replaced by Statement on Auditing Standards No. 130 and moved to AU-C section 940. The AT section numbers for the superseded SSAEs were recodified in the Professional Standards as section "AT-C" to avoid confusion with the older standards codified as section "AT". Recent developments There have been some notable developments in information assurance audit standards since the initial release of SSAE no. 18 that affect reporting under this standard. Cybersecurity Risk Management Reporting Framework: In 2017 the AICPA Assurance Services Executive Committee’s (ASEC) published new and revised materials that together form a cybersecurity risk management reporting framework. The framework is intended to assist organizations in their description of cybersecurity risk management activities. It is also intended to assist CPAs in performing examination engagements, known as SOC for Cybersecurity examination. The three resources that form the framework are: • Description Criteria, titled Criteria for describing a set of data and evaluating its integrity, introduced in 2017, is intended for use by management and CPAs to describe and report on their risk management measures. • Control criteria, titled Trust Services Criteria for Security, Availability, and Confidentiality, revised in 2017, is intended for CPAs providing advisory or attestation services to evaluate and report on the effectiveness of controls. SOC: As of 2018, the AICPA continues to update and expand its System and Organization Controls (SOC) reporting guidance. This includes new material such as SOC for Service Organizations and SOC for Cybersecurity Reporting Framework. ==Sections and organization==
Sections and organization
The sections of SSAE no. 18 are represented under section AT-C of the AICPA Professional Standards. The outline of the sections is as follows: ==Definitions==
Definitions
Roles and responsibilities SSAE 18 identifies two primary roles during the formation of an attestation engagement: • Type 1, which includes an assessment of the design of identified controls, and • Type 2, which also includes an assessment of the operating effectiveness of identified controls. Subject matter SSAE 18 states that it may be applicable to any subject matter, though the nature of the subject matter is a key factor in determining which sections of the standard are applicable and which attestation engagement service level the practitioner may perform. All attestation engagements are predicated on the concept that the practitioner reports an opinion about a statement, description, or assertion made by the responsible party about a subject matter. • Prospective financial information, including financial forecasts and projections, is the focus of AT-C section 305. • Pro forma financial information is the focus of AT-C section 310. • Compliance or an assertion of compliance regarding laws, regulations, rules, contracts, or grants, is the focus of AT-C section 315. • ''Management's discussion and analysis (MD&A)'', which are presented in annual reports to shareholders, is the focus of section 395. ==References==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com