SSAE Compliance, also known as Statement on Standards for Attestation Engagements and Compliance, is a collection of auditing standards and guidance using standards published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).
These standards define how service companies report on their compliance controls and processes. SSAE 16 (SOC 1) was published in April 2010 as the reporting standard for all service auditors’ records and was issued to replace the Statement on Auditing Standards No. 70. If you are familiar with SOC 1 audits, you are most likely familiar with SSAE 16. Unfortunately, SSAE 16 had a number of failure points and was replaced on May 1st, 2017 by SSAE 18 which was designed to address those gaps.
SSAE 18 is the current standard in use today. Auditors follow SSAE 18 prescriptions when performing SOC 1 through 3 assessments regardless of Type I (a point in time assessment of controls) or Type II (a period of 9 to 12 months review of controls).
SSAE 18 introduced important changes in how sub-service organizations were treated. Previously, controls and testing of subservice organizations (outsourced or subcontractors) was out of scope for the audit leaving critical gaps in testing.
What does this mean for an SMB?
SMBs should build an auditable cybersecurity program with controls around access management, least privilege, accountability, training, governance, and technology. Each of these areas needs controls and processes that produce artifacts available for inspection. In so doing, any SMB would set itself up for outside inspection through an SSAE 18 assessment. Initially organizations should engage on a SOC 1, or Point in Time, inspection of their controls. This allows time for correction of gaps and remediation with a smaller investment in time and money. Once a successful SOC 1 SSAE 18 assessment is secured, an SMB should pivot quickly to a SOC2 to validate processes work over time.
An SMB that can successfully pass an SSAE 18 SOC 2 Type II assessment should be be well positioned to pass other types of audits though there may be prescriptions unique to HIPAA, PCI, that go beyond existing controls.
The most important message from this article on SSAE audits is that the act of inspecting ones business processes and controls is highly valuable. NIST and CyberHoot both recommend establishing a Risk Management Framework at any organization. Doing so ensures you’re spending your finite and valuable time and money on the most important risk mitigation activities. This is time and money well spent.
CyberHoot can play a strong role in preparing companies for such auditing through its policy and process management, training programs, phish testing, and even the assessments you can use to self-assess prior to external assessment. Email firstname.lastname@example.org to get more information!