The Statement on Standards for Attestation Engagements 18 (SSAE 18) is a standard from the American Institute of Certified Public Accountants (AICPA). These regulations evaluate service companies, and any company that provides outsourced services that impact another company’s financial statements can request an SSAE 18 audit. In addition, SSAE 18’s Service and Organization Controls (SOC) 2 report focuses on security and privacy.
Through the beginning of 2022, independent service auditors performed their examination to obtain reasonable assurance about whether, in all material respects,
- The description is presented per the description criteria and,
- The controls are suitably designed and operating effectively to meet the applicable trust services criteria stated in the description from July 01, 2021, to December 31, 2021.
The service auditors also performed procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable trust services criteria. Its procedures included assessing the risks that the description is not fairly presented and the controls were not suitably designed or operating effectively to meet the applicable trust services criteria.
Furthermore, the auditor’s procedures also included testing the operating effectiveness of those controls that it considers necessary to provide reasonable assurance that the applicable trust services criteria were met. Finally, their examination also included evaluating the overall presentation of the description.
The service auditors believe that the evidence obtained is sufficient and appropriate to provide a reasonable basis for its opinion. Accordingly, in its opinion, in all material respects, based on the description criteria described in Excellarate’s assertion and the applicable trust services criteria:
- The description fairly presents the system designed and implemented from July 01, 2021, to December 31, 2021.
- The controls stated in the description were suitably designed to assure that the provider would meet the applicable trust services criteria if the controls operated effectively from July 01, 2021, to December 31, 2021. The sub-service organization
and user entities applied the controls contemplated in the design of Excellarate’s controls from July 01, 2021, to December 31, 2021. - The controls operated effectively to ensure that the provider met the applicable trust services criteria throughout the period July 01, 2021, to December 31, 2021, and user entities and sub-service organizations applied the controls contemplated in the design of Excellarate’s controls.
- Those controls operated effectively from July 01, 2021, to December 31, 2021.
The SOC 2 report examines the areas of security, availability, processing integrity, and confidentiality. A secure organization:
- Protects and prevents data from unauthorized access
- Makes information and services readily available when requested
- Runs systems that perform their functions as intended
- Keeps confidential information confidential
- These standards keep the organization accountable to its stakeholders and customers and assert their rights and control over who can use their data.
Some benefits of having a SOC report in place include:
- Ability to perform outsourcing services for publicly held companies in the USA.
- Providers with a valid SSAE 18/SOC 1 can perform financially significant duties for a public company and assure investors over controls that the outsourcing provider performs.
- Customer companies are more likely to trust certified providers with their data.
- Beyond any compliance requirements, this certification assures the provider to handle its data with the utmost care.
- Auditors serve as excellent knowledge sources throughout the year. Companies engaging with certified providers can ask questions and concerns of a group of trusted individuals who know your business.
- A third party reviews the provider’s controls and activities to ensure they are functioning appropriately and gives advice on how to improve them.
- Improving the performance of the internal auditing function and the organization as a whole.
Inherent Limitations
The description is prepared to meet the everyday needs of a broad range of users and may not include every aspect of the system that each user may consider critical to their own particular needs. Because of their nature, controls at a service organization may not continuously operate effectively to meet the applicable trust services criteria.
Also, conclusions about the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria are subject to the risks that the system may change or that controls at a service organization may become ineffective.