SSAE 18 Type 2
SSAE stands for the Statement on Standards for Attestation Engagements and No. 16 (now 18), Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010.
The most significant change in the requirements from SSAE16 to SAE18 is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust. The changes from the SSAE 16:
SSAE 18 requires that service organizations implement processes that monitor the controls at subservice organizations.
SSAE 18 provides the following control suggestions:
- Review and reconcile output reports.
- Hold periodic discussions with the subservice organization.
- Make regular site visits to the subservice organization.
- Test controls at the subservice organization by members of the service organization’s internal audit function.
- Review Type I or Type II reports on the subservice organization’s system.
- Monitor external communications, such as customer complaints relevant to the services by the subservice organization.
Risk Assessment
SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter, to better identify the risks of material misstatement in an examination engagement. This leads to an improved correlation between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.
Complementary Subservice Organization Controls
SSAE 16 required that service organizations provide a listing of controls that should be performed by user organizations.
To recognize that more organizations are outsourcing key functions to their own set of subservice organizations, SSAE 18 introduces the concept of “Complementary Subservice Organization” controls. This concept establishes and defines the controls for which user entities must now assume in the design of the system description. Another key factor related to these complementary controls is that they are necessary for the achievement of control objectives in the report. SSAE 18 provides more guidance around this area, and is designed to lead to more consistent reporting across entities and practitioners.
Written Assertion Requirement
The final change to the SOC 1 is the requirement, per SSAE 18, that the service auditor obtains a signature on the written assertion. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional.
Since 2008, Coprocess has engaged Deloitte SA to perform an annual SSAE 18 Type 2 audit on our application on our hosted environment (previously the SAS70 Type2 and SSAE 16 Type 2 audit). If you are interested to see the result of the latest audit report please fill in this form.
Penetration testing
Since 2013, Coprocess has also engaged Deloitte SA to perform a comprehensive penetration test. This covers 2 areas:
- Blind external penetration testing
- Web application penetration testing
The results of these tests are referred to in the SSAE 18 audit report also performed by Deloitte. We can confirm that there are no high priority risk issues found as a result of the penetration testing.
External penetration testing is performed as part of the yearly audit process and ad hoc during the year. Coprocess also runs its own penetration testing regularly using specialist software.
Monitoring
The Coprcoess SaaS and Dedicated cloud environments are monitored 24x7using PRTG with over 300 sensors. Warnings and alerts are sent to the Hosting Team. Uptime statistics and reports are published on the Coprocess Forum, available to clients.
