New Attestation Standard (SSAE 18) coming in 2017
As you know, as a part of vendor due diligence, the Credit Union typically asks for an attestation engagement in the form of an SSAE 16 from the vendor to assess various internal controls and security protocols. Effective May 1, 2017, SSAE 16 will be replaced by the new SSAE 18. While much of the previous SSAE 16 remains intact, SSAE 18 provides clarification to the previous standards and enhances the standards with respect to requests for information for areas of risk within the vendor’s organization. Broadly focused, it covers various aspects of audits, reviews, agreed-upon procedures, and other engagements including, among other things:
- Risk assessment for examination engagements. SSAE 18 requires practitioners to obtain a more in-depth understanding of the development of the subject matter than currently required in order to better identify the risks of material misstatement in an examination engagement. This, in turn, should lead to an improved linkage between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.
- Incorporation of detailed requirements. SSAE 18 incorporates a number of detailed requirements (such as the need for an engagement letter or equivalent and for written representations in examinations and reviews) that are similar to those contained in Statements on Auditing Standards (SASs).
- SSAE 18 requires the service auditor to evaluate whether information is sufficiently reliable for the service auditor’s purposes “by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed.”
Presumably, these new standards will require service auditors and practitioners to validate information and reports by detailing how reports are generated, who prepares such reports and ensuring the requisite level of detail in such reports. While SSAE 18 takes effect next year there is no prohibition to begin utilizing such standards and we suggest that our clients request SSAE 18 audit materials when performing their due diligence, and incorporate this change into their vendor contract verbiage.