Testing according to American standard
Reporting on Controls at a Service Organization / US American auditing standard
Statements on Standards for Attestation Engagements (SSAE 18), Reporting on Controls at a Service Organization, is the American auditing standard for auditing the ICS of outsourcing service providers.
The basis of an audit in accordance with SSAE 18 comprises the description of the service-related ICS and the management assessment. As part of the management assessment, management provides a statement that the ICS is adequately presented or rather that the internal controls were implemented during the audit period and, in the case of a type II audit, were effective in achieving the predefined control objectives. A description of the ICS by the company to be audited is an essential part of the reporting.
A SSAE 18 audit can include two dimensions
Assessing the adequacy and design of controls at a predetermined point in time without making a statement about their effectiveness.
In addition to Type I, an assessment of the effectiveness of the established controls of the ICS is carried out within a predefined audit period.
Benefits of SSAE 18 certification:
Proof of the appropriateness and, if applicable, effectiveness of the service-related ICS
Assessment of business risks through outsourcing of operational processes
Reporting on the ICS of the service company
Quality feature compared to non-certified companies
Marketing instrument for maintaining and expanding the customer base