What MSPs Need to Know About SSAE 18
If you are still scratching your head and wondering what ever happened to SAS 70, much less SSAE 16, keep reading. There is a lot of confusing information out on the Internet about IT audits. I will attempt to make what can be a complicated topic into something anyone can understand.
SAS 70 no longer exists. This audit method was just reaching a minor level of popularity amongst the data center community during the mid-2000s when the decision was made to implement a new audit methodology called SSAE 16
The Statement on Standards for Attestation Engagements (SSAE) No. 16 came into use the middle of 2010. SSAE 16 would produce a SOC 1 report, which was signed by a CPA firm and examines the controls of a service organization (in our case, a MSP), impacting the effective internal controls covering financial reporting.
What is SSAE 18? It's SSAE 16, only 2 louder. Spinal Tap movie references aside, SSAE 18 has now replaced SSAE 16 effective May 1, 2017. SSAE 18 is also more commonly going by the simpler naming convention of a SOC 1 report. If you are further confused by the differences between SOC 1 and SOC 2 audits, click the link and read a nice comparison of the two.
The key distinction of SSAE 18 from SSAE 16 as it relates to SOC reports, is the monitoring of subservice organizations utilized in the delivery of managed services. In the managed services community, a MSP could be subservice organization, which is why your customers are asking you (the MSP) for an audit report. Alternatively, within a managed service provider organization, subservice organizations also mean third party vendors, such as RMM, PSA, cloud vendors, etc.
If you are a MSP and are part of the MSP/Cloud Verify program, sub-service organizations are already part of our standard and have been for many years. If your audit firm has not been testing third party vendors in your SSAE 16 engagements, this is probably going to be a significant new aspect of your audit going forward.
If you are in need a a good vendor management policy template, MSPAlliance can help.
In closing, MSPAlliance receives a lot of inquiries from MSPs asking about audit reports. Most have asked about SOC 1 reports but that trend is now changing to SOC 2. In any case, SSAE 16 is no more.
If you have questions about audit reports for MSPs please contact MSPAlliance for a free consultation.