SSAE 18 – Key Changes from SSAE16 and Trust Services Update

In June 2011, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board released Statement on Standards for Attestation Engagements (SSAE) No. 16 standard to offer guidance on auditing methods for SOC 1 reports, those associated with financial reporting controls, along with interpretation under AT Section 101 for SOC 2 reports, those not concentrated on internal financial reporting controls. Then, in April 2016, the AICPA Auditing Standards Board issued SSAE 18. This new standard is relevant to all SOC verification engagements and replaces SSAE 16. SSAE 18 is valid for SOC reports dated on or after May 1, 2017.

There are several changes to the revised standards service organizations must quickly get accustomed to, since they affect service organizations personally. SSAE 18 sets a clear focus for the organization to ensure an unbiased presentation of the controls, in addition to, the way Auditors are now required to approach data gathering and authentication of the controls. This will initiate consistency and simplicity of comparison between the SOC reports for organizations determining the service organization control environment. There are three areas, in which the revisions can be categorized- Third Party Vendor Management, Data Authentication, and Risk Assessment.

Third Party Vendor Management

SSAE 18 talks about vendor management for the first time, referring to third party vendors as “subservice organizations.” SSAE 18 shows similar elements to banking regulation when it comes to third party vendors.

  • Scope. Parallel to contract management, SSAE 18 requires a vendor to state the scope and responsibilities of each third party vendor being used. The significance and particulars of each third party vendor and how they are is based on service level agreements, terms of agreement, warranties and guarantees.
  • Performance review.Vendors must determine the success of each third party vendor, with proper documentation on each topic of the performance review.
  • Reviewing audits. A vendor should have a standard method for reviewing each third party vendor’s audits. According to, SSAE 18 it is particularly important to understand how the vendor deals with conclusions to ensure that each third party vendor is dependable.
  • Monitoring. A vendor must assess customer complaints, regulatory organization reports and data associated with the third party vendor’s financials, litigation, employee changes, etc. to screen for substantial operational issues.


Under SSAE 16 user control considerations listed all of a vendor’s controls. With SSAE 18 the user control considerations are extended, which requires vendors to request the controls of each third party vendor. So often, service organizations use specific procedures when they begin to partner with a third party vendor. However, it is now becoming more essential to assess and monitor the third party vendor on a constant basis with the techniques highlighted in SSAE 18.

Data Authentication

SSAE 18, state that service auditors must evaluate the information produced by the service organization to guarantee it is thorough, exact, adequately precise, and detailed. Auditors are also required to ensure that the data given is reliable for the service auditor’s purpose and scope of the engagement, which will make the audit process more flexible, useful and relevant to each service organization.

Risk Assessment

Similar to any financial institution, a vendor must present a risk assessment program to identify crucial risks, develop controls, and facilitate findings. This permits a vendor to identify its most critical risks and appropriately distribute resources. SSAE 18 magnifies this beyond SSAE 16. SSAE 18 gives financial institutions a greater guarantee that a vendor is in a position of strength to provide services as promised. There is also substantial impact on service auditors or service organizations to meet the requirement of these risk assessments. Click here to learn more about our Risk Assessment Services.

How to Meet SSAE 18 Requirements

Meeting the requirements can be an intimidating task for many organizations, and the lengthy changes in SSAE 18 will create new questions and confusion. NightLion Security offers a free download for SSAE 18, as well as, a comprehensive service plan to ensure your compliance. Our services will include:

  • Scoping
  • Risk assessment
  • Penetration testiong
  • Gap assessment
  • Policy and documentation creation
  • Mapping main policies and procedures to risk controls
  • Remediation and risk treatment assistance
  • Project management
  • Complete audit readiness, including the development of required testing procedures

NightLion Security is here to exceed your organization’s expectations every step of the way to ensure that you are completely organized and prepared for a formal audit. Our expert security consultants have real-world experience helping clients, like you, meet all facets of compliance for the SSAE process.