Understanding SSAE 18: A Guide for Organizations Seeking a SOC Report
Auditing standards set out guidelines for auditors to follow when evaluating a service organization’s internal controls and how the organization reports on these controls. These standards help ensure that audits of financial statements and internal controls are consistent and reliable and that the resulting attestation reports are high-quality and useful to investors, regulators, and other key stakeholders.
SSAE 18 is one of the most well-known auditing standards and is used for SOC 1 and SOC 2 audits. Understanding this standard is not only important for auditors that evaluate and report on service organization’ internal controls related to financial reporting and the Trust Services Criteria—it is also important for service organizations undergoing these audits.
Below we’ll cover what the standard is and why it’s important, how it compares to its predecessor SSAE 16, and how it relates to SOC 1 and SOC 2 compliance.
What is SSAE 18?
SSAE 18, or the Statement on Standards for Attestation Engagements No. 18, is an auditing standard developed by the Auditing Standards Board (ASB), a senior committee of the American Institute of Certified Public Accountants (AICPA). It outlines guidelines for auditors when evaluating the effectiveness of a service organization’s internal controls and reporting on those controls.
Since SSAE 18 provides guidelines for different types of attestation engagements, this standard could be used to guide audits of for instance:
- a schedule of investment returns
- the effectiveness of an entity’s controls over the security of a system
- a statement of greenhouse gas emissions
While SSAE 18 can be used for different types of attestations, SSAE 18 is most commonly used for SOC 1 and SOC 2 audits. That means SSAE 18 is especially relevant to organizations that handle financial information or sensitive customer data and/or provide outsourced services like payroll, IT, or cloud computing.
Let’s take a closer look at what an SSAE audit is below.
Recommended reading
SOC Audit: What It Is, How it Works & How to Prepare Your Service Organization
What is an SSAE 18 audit?
An SSAE 18 audit assesses whether a service organization’s controls are properly designed and operating effectively.
Conducted by an independent CPA or audit firm, the process involves:
- Evaluating the organization’s control environment.
- Testing the implementation and effectiveness of those controls.
- Providing a detailed report outlining the audit findings.
These audits result in a report that helps organizations identify control gaps and unaddressed risks, enhance processes, and build trust with customers and other stakeholders.
Let’s take a closer look at what an SSAE report is below.
What is an SSAE 18 report?
An SSAE 18 report is the report produced by certified public accountants (CPAs) after conducting an attestation engagement under the SSAE 18 standard. This report provides third-party assurance to stakeholders that the organization’s controls are appropriately designed and operating effectively as intended.
The most commonly known SSAE 18 reports are SOC reports, including:
- SOC 1 reports: Focused on internal controls relevant to financial reporting.
- SOC 2 reports: Focused on non-financial controls, including security, availability, processing integrity, confidentiality, and/or privacy.
- SOC 3 reports: Provides a summary of the SOC 2 attestation report that's suitable for the general public.
Service organizations often share these reports with customers, partners, investors, and other stakeholders to demonstrate their commitment to maintaining robust controls for financial reporting and/or data security.
Recommended reading
SOC 1 vs SOC 2 vs SOC 3: What's the Difference?
Did SSAE 18 replace SSAE 16?
Yes, SSAE 18 replaced SSAE 16 in May 2017. The transition aimed to modernize the framework and make the audit process more robust and easier to understand while placing more emphasis on risk management.
SSAE 18 introduced key enhancements, including:
- Requirements for service organizations to implement a formal third party vendor management program.
- Requirements for service organizations to implement a formal annual risk assessment process to identify and classify risks.
These updates have helped organizations better adapt to the complexities of today’s interconnected business landscape and evolving threat landscape.
Let’s take a closer look at the differences between SSAE 16 and SSAE 18 below.
SSAE 16 vs SSAE 18: What are the key differences?
While SSAE 16 and SSAE 18 share similarities, their differences highlight the evolution of compliance standards:
Broader scope
While SSAE 16 had a more limited focus on controls at service organizations related to financial reporting, SSAE 18 expands this scope to include different types of attestation engagements. This makes SSAE 18 suitable for SOC 2 as well as SOC 1 audits.
New focus on vendor risk management
SSAE 18 includes new requirements for auditors to assess whether the organization evaluates and monitors risks associated with subservice organizations (third-party vendors that the service organization relies on to provide services to its users). This means service organizations must not only identify and document the subservice organizations they use, but also monitor their compliance and effectiveness of internal controls over time. SSAE 16 did not have specific requirements related to subservice organizations.
Expanded requirements for risk assessments
SSAE 18 also includes new requirements for auditors to assess whether the organization has an “accurate and complete” risk assessment process, including procedures to respond to assessed risks. Auditors must evaluate whether the controls identified in the management’s description of the service organization’s system are linked to those assessed risks and whether those controls have been implemented. SSAE 16 did not have requirements for a formal risk assessment process.
Improving clarity of all standards
A major goal of the ASB in creating SSAE 18 was to address concerns over the clarity, length, and complexity of its standards, SSAE Nos. 10–17. So ASB redrafted all attestation standards (except for two) in SSAE 18 for the sake of clarity. Some of these updates included:
- Establishing objectives for each clarified attestation standard (“AT-C section”)
- Including a definitions section, where relevant, in each AT-C section
- Separating requirements from application and other explanatory material
- Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section
- Using formatting techniques, such as bulleted lists, to enhance readability
- Including, when appropriate, special considerations relevant to audits of smaller, less complex entities within AT-C sections
- Including, when appropriate, special considerations relevant to examination, review, or agreed-upon procedures engagements for governmental entities within AT-C sections
Simplification and convergence with international standards
SSAE 18 simplifies and converges attestation standards to align with international standards, specifically those of the International Auditing and Assurance Standards Board. Namely, three major sections of SSAE 18 — AT-C Sections 105, 205, and 210 — align with the International Standard on Assurance Engagements 3000 (ISAE 3000), although there are differences made that reflect U.S.professional standards. This convergence to international standards enhances the applicability of SSAE 18 across regions.
Overall, SSAE 18 provides a more comprehensive framework for managing and reporting controls than SSAE 16.
How does SSAE 18 relate to SOC reports?
SSAE 18 and SOC are often used interchangeably, but are distinct terms. Let’s clarify the differences between SSAE 18, SOC 2, and SOC 1 below.
SSAE 18 vs SOC 2 report
SSAE 18 serves as the overarching framework for attestation engagements, including SOC 2 audits. SOC 2 auditors must comply with two sections in SSAE 18: AT-C section 105, Concepts Common to All Attestation Engagements and AT-C section 205, Examination Engagements.
A SOC 2 report is a specific type of report as a result of a SOC 2 audit based on SSAE 18 guidelines. This type of report focuses on non-financial controls, covering criteria such as security and privacy.
SOC 2® Report Example
A SOC 2® report provides detailed results of a SOC 2 audit and a wealth of information about your company’s security posture, specifically as it relates to the security standards covered by SOC 2. Seeing a real example of what a SOC 2 Type II report might look can be incredibly useful when preparing for an audit or deciding if you need a report.
SSAE 18 vs SOC 1 report
SSAE 18 is also used for SOC 1 audits, which evaluate controls relevant to financial reporting. In addition to complying with AT-C sections 105 and 205, SOC 1 auditors must comply with AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.
A SOC 1 report is another specific type of report that is a result of a SOC 1 audit based on SSAE 18 guidelines. Unlike a SOC 2 report, SOC 1 focuses on controls relevant to financial information and reporting.
In short, SSAE 18 provides the structure for both SOC 1 and SOC 2 audits, while the reports themselves result from the audits and are used to enhance trust between the service organization and user entities, including customers.
How Secureframe can help you get a SOC report
Whether you need a SOC 1 or SOC 2 report or both, Secureframe's compliance automation tool can help you streamline the audit readiness process, slashing the time and resources required to achieve and maintain compliance. One of our customers got their SOC 2 report in six business days.
Looking to achieve similar results? Request a demo with one of our experts today.
Use trust to accelerate growth
FAQs
Is SSAE 16 still valid?
No, SSAE 16 is no longer valid. It was superseded by SSAE 18 in 2017.
What’s the difference between SSAE 16 and SSAE 18?
The primary differences between SSAE 16 and SSAE 18 are:
- enhanced clarity and readability
- new vendor risk management requirements
- updated risk assessment requirements
- closer alignment with global standards like ISAE 3000
Is SSAE 18 the same as SOC 1?
No, SSAE 18 is the auditing standard used for SOC 1 audits. SOC 1 refers to a specific type of report focused on financial controls that follows SSAE 18 guidelines.
Is SSAE 18 the same as SOC 2?
No, SOC 2 is another type of report resulting from an audit that follows the SSAE 18 framework. A SOC 2 report focuses on non-financial controls, including security, availability, processing integrity, confidentiality, and/or privacy.
What sections are covered in SSAE 18?
The sections covered in SSAE 18 are:
- AT-C, Preface
- AT-C section 105, Concepts Common to All Attestation Engagements
- AT-C section 205, Examination Engagements
- AT-C section 210, Review Engagements
- AT-C section 215, Agreed-Upon Procedures Engagements
- AT-C section 305, Prospective Financial Information
- AT-C section 310, Reporting on Pro Forma Financial Information
- AT-C section 315, Compliance Attestation
- AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ internal Control Over Financial Reporting
- AT-C section 395, Management’s Discussion and Analysis