1. SSAE 18 Service Organization Control Reports: How to Incorporate Them into Your Third-Party Risk Management Program

SSAE 18 Service Organization Control Reports: How to Incorporate Them into Your Third-Party Risk Management Program

SSAE 18 Service Organization Control Reports: How to Incorporate Them into Your Third-Party Risk Management Program
Event ID: 16715

Duration: 90 minutes, including question and answer period.
Presenter(s): Gary Deutsch, CPA, president, BRT Publications, LLC
Price: $299.00, On-Demand includes full audio presentation, question and answer session, and presentation slides.
Credits: Live webinar approved for 1.5 NASBA credit hours (Management Advisory Services)
Who Should Attend? Internal auditors, financial institution counsel, compliance officers, IT officers, risk managers, vendor managers, finance officers, chief operations officers, chief information officers, persons responsible for electronic security


Financial institutions know how the regulators view outsourcing. They expect that institutions will perform extensive due diligence of all third parties before entering business arrangements with them. They also expect that bankers will monitor those relationships for risks that could adversely impact the institutions operations and safety and soundness.

When SSAE 16 replaced SAS70 as the standard for auditing service organizations, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) expected that their guidance would be sufficient for CPA firms to develop quality engagements. Although well-known CPA firms embraced SSAE 16 and conducted thorough audits of service organizations, some firms that competed for these engagements on price were less thorough. The ASB took notice and decided to clarify the standards they originally intended for auditing service organization controls. The result of this effort is SSAE 18 which encompasses all “attestation” engagements, not just the audits of service organization controls. However, SSAE 18 does not address audits of “trust service principles” that are part of SSAE 16, SOC 2 and SOC 3 engagements. SOC 2 and SOC 3 engagements continue under SSAE 16.

SSAE 18 is important to bankers because it requires CPAs to focus on such critical regulatory issues as third party vendor management practices, validating the data on reports that vendor management provides, and performing a comprehensive risk assessment of their vendor clients. These expended procedures are all directed at ensuring that the vendor’s controls will not adversely impact the accuracy of the institution’s financial reports. Another important addition in SSAE 18 is the need for vendors to conduct thorough due diligence and ongoing monitoring on all vendors (i.e., subservicers) they use. Control risks increase when your vendors contract with subservicers which is why the ASB expanded this part of the required audit process.

Please join Gary Deutsch, CPA MBA, for this timely webinar that has been developed to help you prepare for examinations of your third-party risk management program.


During this important webinar, Gary Deutsch will discuss:

  • What has changed and what is the same in the transition from SSAE 16 to SSAE 18
  • How to evaluate when you can rely on SSAE 16 reports or if you need SSAE 18 reports
  • How to interpret SSAE 18 SOC 1 reports to incorporate the results into your third-party vendor management regulatory compliance program
  • How to effectively incorporate SSAE 18 SOC 1 risk assessments into your institution’s risk assessment process
  • Understand the types of engagements institutions can ask for beyond SOC 1 under SSAE 18



Your conference leader for "SSAE 18 Service Organization Control Reports: How to Incorporate Them into Your Third-Party Risk Management Programs” is Gary Deutsch, president, BRT Publications LLC. Mr. Deutsch is a licensed CPA in Maryland and has a B.A. in accounting and an MBA in finance from Loyola University Maryland. He has also achieved the Certified Management Accountant, Certified Internal Auditor and Certified Bank Auditor designations. Mr. Deutsch is the founder and president of BRT Publications LLC.

<>Mr. Deutsch has trained thousands of financial institution professionals in all aspects of risk management and has written numerous books in the U.S. and Europe on topics such as credit risk, internal audit and compliance with Generally Accepted Accounting Principles. Mr. Deutsch has extensive risk management and internal audit experience through his association with financial institutions of all sizes as well as through his role leading the KPMG financial institution consulting practice in the Mid-Atlantic region.



BankersWEB, a division of DKG Media, LP, wants you to be satisfied with your webinar. If this webinar does not meet your expectations, email us at [email protected].


BankersWEB certificates of participation are available to everyone completing this webinar.