What is SSAE-18? And why is it important to your business?

What is SSAE-18? And why is it important to your business?

In any business, customer trust is vital. For instance, if and when customers share their financial information with you, they believe that it will facilitate the intended transactions and nothing else. And if customers can see that you’ve been verified by third parties as trustworthy, then the former can hold a feeling of vindication in choosing your business.

The same trust is what B2B relationships are built on. However, wise clients know better than to trust blindly. When choosing a managed IT services provider (MSP), for example, they’ll immediately take out of consideration those who do not have certified staff. They’ll want to see the capacity of the provider’s data center, how long the latter’s generators can last during a power outage, as well as meet the IT experts who’ll be taking care of their IT systems for them. And when it comes to their digital assets, clients want to know if their would-be MSP follows the IT industry’s best practices.

All in all, a trust-but-verify approach is crucial in determining the worthiness of an MSP — and MSPs that are verified by a third party definitely have a leg up over those with only their word to go on. That’s why you ought to know if an MSP is Statement on Standards for Attestation Engagements 18 (SSAE-18)-certified or not.

Wait...what is SSAE 18?

Before we dive in, let’s briefly discuss what financial audits are. Businesses’ financial statements, for example, are audited (i.e., officially inspected) by independent third parties to ensure that these statements are presented in accordance with generally accepted accounting principles. In simpler terms, financial audits are strict fact checks for subject matters like asset valuations, financial analyses, and corporate governance, among others.

Attestation engagements
An attestation engagement, on the other hand, is similar to an audit, except that the former examines assertions (i.e., implicit or explicit claims) made regarding the subject matters mentioned earlier.

For instance, your firm may list the purchase of an SUV as a company expense, so this implies the assertions of occurrence (i.e., the transaction did occur), completeness (i.e., all transactions related to the purchase, such as automobile insurance, have been recorded in the financial statements), and accuracy (i.e., the appropriate amounts have been accurately recorded), among others. Other examples of assertions include regulatory compliance claims and financial forecasts.

Assurances and risk assessments
Because attestation engagements are accomplished by independent bodies that are overseen by the American Institute of Certified Public Accountants (AICPA), MSPs undergo such engagements to provide their clients with unbiased assurances and risk assessments about their services.

Let's put this in the context of your organization. You have your own auditors who look into your financial reports and claims on regulatory compliance. If and when you do hire an MSP to outsource your IT processes, your auditors will want to look into the services you’re spending on (especially if you’re registered with the Ontario Securities Commission or the Securities and Exchange Commission (SEC) in the US), as well as check if that service provider has sufficient controls in place to protect your customers’ data.

Since the SSAE standardizes attestation engagements, you and your auditors can simply ask the MSP’s auditors for Service Organization Control (SOC) reports to easily evaluate that service provider and recognize potential risks of partnering with them.

SOC 1 Report An assessment of the service provider’s internal controls as they pertain to the provider’s clients’ own internal controls over financial reporting.
SOC 2 Report A detailed evaluation of the aspects of a service provider’s information system, such as availability, privacy, processing integrity, and security.
SOC 3 Report A shorter version of the SOC 2 report that’s meant to be read for general audiences.

Past praise for XBASE’s SSAE-16-related services:

“The SSAE-16 (SSAE-18’s predecessor) was one of the best reasons for us to outsource our infrastructure (to XBASE Technologies). Knowing that our business critical data is in a secure, compliant data center with speedy support service certainly gives us and the auditors peace of mind.”Jin Shi - Timbercreek AM

“The SSAE-16 report is very important to our firm because our institutional clients
and prospects perform due diligence and always ask about our oversight of XBASE’s
processes and policies. The audited report goes a long way in satisfying the Due
Diligence questions from our institutional clients that rely on us.”
Henry Kim -
CGOV Asset Management (now a subsidiary of Fiera Capital)


Subservice vendors
The latest edition of the standards — SSAE 18 — now requires service providers to also monitor the service providers they rely upon (called “subservice vendors”) to render their services. For instance, XBASE offers our clients productivity apps from Office 365. This means Microsoft is a subservice vendor of ours, and our auditors need to include them in their assessments so we can provide our clients with a more comprehensive (and more assuring) look into our internal controls.

What is all this fuss for?

Data security, of course.

When working with an MSP, you’ll want to make sure that your data is protected, no matter how wide its network of subservice vendors may be. Whether you’re in an industry where data privacy of end consumers is paramount (such as in healthcare or financial services), or in a sector where proprietorship of information forms significant competitive advantages, you’ll definitely want an MSP that is SSAE-18 certified.

To learn more about XBASE’s most recent round of SSAE-18 certifications, please visit our blog. Talk with our consultants to learn how our Exponentially Better™ data security services can open your business up to growth opportunities while keeping it safe from cyberthreats.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts