SSAE 18

October 2019

An SSAE 18 (which replaced the SAS 70 and SSAE 16) report is prepared by a service provider’s auditor to evaluate and issue an opinion on the internal controls that are in place at the service provider.  Service providers that process transactions (i.e., manipulate data or perform calculations) may provide an SSAE 18 report on the internal controls that are present in their operations or their software.  An example of a service provider that should have an SSAE 18 report is your core system data processor (i.e., shares, loans and general ledger processor).  Although the purpose of an SSAE report is to report on internal controls generally related to processing of transactions, it will also cover the security and privacy controls in place.

You and your financial statement auditor can use this report to understand the internal controls that are present at a service provider.  This assists you in developing proper internal controls for your operations.  Your auditor can rely on internal controls that have been tested and reported in the SSAE 18 report to reduce the amount of internal control testing during your financial statement audit.

We have received inquiries from members regarding whether Alloya Corporate Federal Credit Union (Alloya) has an SSAE 18 audit report available for their review. At this time Alloya does not have any SSAE 18 audit reports available. The cost of preparation of an SSAE 18 is substantial and after careful evaluation of the cost compared to the extensive compensating controls that Alloya has, it has been determined that Alloya will not prepare any SSAE 18s.

The following provides a high-level view of Alloya’s risk management infrastructure:

  • Alloya is required to comply with the Standards of Professional Practices of Internal Auditing as established by the Institute of Internal Auditors (IIA).
  • Alloya’s infrastructure includes an in-house internal audit function that includes a Chief Audit Executive.
  • Alloya’s Supervisory Committee contracts with an independent accounting firm to conduct an annual independent audit of the corporate financial statement.  Currently, the independent accounting firm is Doeren Mayhew.
  • Alloya contracts with external parties to conduct audits and/or assessments that require very specialized skill sets (e.g., internal/external vulnerability assessments, information systems penetration tests, code reviews, risk assessments, etc.)
  • Consistent with Regulation, Alloya has developed an extensive Enterprise Risk Management process, including an independent expert servicing on a Board-level committee.
  • Alloya has invested significantly in systems and human capital in risk management, including staff with professional certification in accounting (CPA), risk management (CFA and FRM), information security (CISSP, CISM), business continuity planning (PMP, CBCP) and auditing (CIA, CISA).
  • Alloya is regulated by the NCUA which performs regular examinations of internal controls, internal audit, information systems, and other operational areas.

Alloya does make available SSAE 18 and SOC 1 audit reports for many of its partners with whom it contracts for processing services.  Those can be found on Premier View under the Help tab.

If you have further questions, please call John Collins, Senior Vice President Risk Management and Administration (630) 276-2624 or at john.collins@alloyacorp.org.