SSAE 18 Type 2

SSAE stands for the Statement on Standards for Attestation Engagements and No. 16 (now 18), Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010.

SSAE 16 was the new "attest" standard for reporting periods ending on or after June 15, 2011 essentially replacing Statement on Auditing Standards no. 70, simply known as SAS 70.

SSAE 16 required management of the service organization to provide a description of its "system" along with a written statement of assertion. Both requirements differ from the previous SAS 70 auditing standard in the following manner:

  • The SAS 70 auditing standard only called for a description of "controls", while the SSAE 16 attest standard now requires a description of its "system", which is more comprehensive and expansive than that required by SAS 70.
  • SSAE 16 requires a written statement of assertion, something that was not required under SAS 70 Type I or Type II audits.

This written statement of assertion must be crafted by management and contain several essential clauses for which management of the service organization will effectively "assert" to.

In the Spring 2016, The AICPA’s Auditing Standards Board (ASB) completed the clarity project, the result of which was the issuance of the SSAE 18 standard, “Concepts common to all Attestation Engagements”. This new standard replaces SSAE 16 for SOC 1 engagements and went into effect for reports dated after May 1, 2017.

The most significant change in the requirements that must be met by a service organization is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust. The changes from the SSAE 16:

SSAE 18 requires that service organizations implement processes that monitor the controls at subservice organizations.

SSAE 18 provides the following control suggestions:

  • Review and reconcile output reports.
  • Hold periodic discussions with the subservice organization.
  • Make regular site visits to the subservice organization.
  • Test controls at the subservice organization by members of the service organization’s internal audit function.
  • Review Type I or Type II reports on the subservice organization’s system.
  • Monitor external communications, such as customer complaints relevant to the services by the subservice organization.

Risk Assessment

SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter, to better identify the risks of material misstatement in an examination engagement. This leads to an improved correlation between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

Complementary Subservice Organization Controls

SSAE 16 required that service organizations provide a listing of controls that should be performed by user organizations.
To recognize that more organizations are outsourcing key functions to their own set of subservice organizations, SSAE 18 introduces the concept of “Complementary Subservice Organization” controls. This concept establishes and defines the controls for which user entities must now assume in the design of the system description. Another key factor related to these complementary controls is that they are necessary for the achievement of control objectives in the report. SSAE 18 provides more guidance around this area, and is designed to lead to more consistent reporting across entities and practitioners.

Written Assertion Requirement

The final change to the SOC 1 is the requirement, per SSAE 18, that the service auditor obtains a signature on the written assertion. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional.

Since 2008, Coprocess has engaged Deloitte SA to perform an annual SSAE 18 Type 2 audit on our application on our hosted environment (previously the SAS70 Type2 and SSAE 16 Type 2 audit). If you are interested to see the result of the latest audit report (to end September 2017) please fill in this form.

Penetration testing

Since 2013, Coprocess has also engaged Deloitte SA to perform a comprehensive penetration test. This covers 2 areas:

  1. Blind external penetration testing
  2. Web application penetration testing

The results of these tests are referred to in the SSAE 18 audit report also performed by Deloitte. We can confirm that there are no high priority risk issues found as a result of the penetration testing.

External penetration testing is performed as part of the yearly audit process and ad hoc during the year. Coprocess also runs its own penetration testing regularly using specialist software.


The Coprcoess SaaS and Dedicated cloud environments are monitored 24x7using PRTG with over 300 sensors. Warnings and alerts are sent to the Hosting Team. Uptime statistics and reports are published on the Coprocess Forum, available to clients.

Submit to FacebookSubmit to Google PlusSubmit to TwitterSubmit to LinkedIn

Call us today for Free Trial

Europe & Asia
+41 22 311 1383

+1 844 332 7083

or click here

Free Trial

Request our Brochure

Europe & Asia
+41 22 311 1383

+1 844 332 7083

or click here

Request Brochure