What is SSAE 18?

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. 

In this video, we’re going to cover what you need to know about the SSAE 18. But, before we dive into that, let’s cover some basic knowledge related to how SSAE 18 works with the other SOC type documents. 

1. First off, SOC 1 and SSAE 16 will no longer be synonymous (or considered the same thing/named together). SOC 1’s will only be SOC 1’s.
   
2. Second, the SSAE 18 does not directly replace the SSAE 16. The SSAE 18 is a simplified standard covering many other standards, SSAE 16 was just one. The SSAE 18 causes the SSAE 16 to be retired though as 16 is covered within 18.
   
   
3. Third, if you request an SSAE 16/SOC 1 now, you’ll still request a SOC 1, just without reference to SSAE 16 or 18.
   
   
4. And fourth, the SSAE 18 does not affect SOC 2 or 3’s as they are covered under a different standard than the SSAE 16 was.

Now that we covered that, let's cover more about what SSAE 18 is.

SSAE 18 requires a new creation and mandatory inclusion of Complementary Subservice Organization Controls when applicable - so controls related to your fourth parties. This will provide additional clarity of how your vendor is addressing their own vendor management obligations - so how they are handling your fourth parties. 

More specifically, your vendors must identify the functions and controls that your vendor assumes their vendors are performing – all to provide you with a product or service as agreed in your contract and service level agreement.

This is good news because now vendor management is no longer just your problem, it's also your vendor's problem.

The bad news is this does not provide you with any additional assurance as the scope of your vendor’s audit will not include the operating effectiveness of the controls at your fourth party. However, it will provide the guidance you need to perform an informed review of your fourth party's SOC 1 or 2 report or other available and comparable documentation. 

With SSAE 18 coming into effect, there's also 3 key updates to SOC 1’s.

1. There's a risk assessments requirement. This was something the SOC 2 already required to ensure controls address risks. So ask yourself, "Does the vendor fully understand and document the risks of operating and are there controls in place to monitor and mitigate that risk?"
   
   
2. Another update is the creation of the Complementary Subservice Organization Controls. Meaning, "Does the vendor use a separate vendor or internal business unit critical to the delivery of products or services which is not within the scope of the audit?"
   
   
3. And the third update is additional guidance to further the auditor’s understanding of the subject matter and internal control environment of the service organization, your vendor. So this means, "Does the auditor understand what they’re auditing?“
   
   
4. And the fourth update is a clarification on Complementary User Entity Controls, which emphasizes that those controls should be specific to the product or service in scope and provided by the vendor and should relate back to specific vendor control objectives. 

The official date was May 1, 2017. And also now, SSAE 16 will no longer be used. By mid to late 2017, you should begin to see the first SSAE 18’s being provided by vendors.

Our customers who use our SOC Analysis service already know that subservice organizations have been a focus in our analysis’ and this update will further our ability to provide even more insight into the operations of your vendors.

Now you know the key updates associated with SSAE 18, when to expect SSAE 18's, and why it matters to you.

Again…I’m Aaron Kirkpatrick and thank you for watching! If you haven’t already subscribe to the Third Party Thursday series.