SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is a set of standards and guidance issued by the American Institute of Certified Public Accountants (AICPA) for auditors and service organizations. The SSAE 18 effectively replaced the older SSAE 16 guidance and SAS 70 reports.

The main objective of SSAE 18 is to standardize the attestation criteria used by auditors when evaluating the internal controls within a service organization. Once audited under these standards, a service organization can receive a Service Organization Control (SOC) report. Different types of SOC reports exist, such as SOC 1, SOC 2, and SOC 3, each catering to varied purposes and audiences.

A distinguishing feature of SSAE 18 is its robust emphasis on risk management. It expects service organizations to proactively identify and manage any risks that might compromise the achievement of the organization’s control objectives. The SSAE 18 introduced significant changes concerning the oversight of subcontractors or subservice organizations. Service organizations are now mandated to illustrate how they monitor the controls of their vendors, ensuring their effectiveness. Additionally, they need to pinpoint and communicate the controls assumed to be in place by these subservice organizations, essential for achieving the control objectives stated in the SOC report.

With the introduction of SSAE 18, the management of a service organization is required to provide a written assertion. This assertion addresses the fairness in the presentation of the system’s description, the appropriateness of the control’s design, and, in certain scenarios, the operating effectiveness of those controls. Importantly, SSAE 18 is industry-agnostic, meaning any service organization influencing the internal controls over its customer’s financial reporting might be eligible for an SSAE 18 audit.

What are SOC 1 requirements?

Here are the key requirements and components of a SOC 1 report:

1. System Description: The service organization must provide a written assertion and a detailed description of its system. This includes the services provided, the classes of transactions processed, the procedures by which those transactions are initiated, recorded, processed, and reported, as well as any other relevant aspects of its service delivery.

2. Control Objectives: Clearly defined control objectives need to be in place, which outline the specific goals or intentions behind implementing particular controls.

3. Controls: These are the actual policies, procedures, and activities that the service organization has put in place to ensure the control objectives are met. They are designed to mitigate risks that would prevent the control objectives from being achieved.

4. Written Assertion: The management of the service organization must provide a written assertion about:

  1. The fairness of the presentation of the system description.
  2. The suitability of the design of the controls to achieve the related control objectives stated in the description as of a specified date.
  3. In the case of a Type 2 report, the operating effectiveness of those controls over a specified period.

5. Auditor’s Opinion: An external auditor reviews the system description, control objectives, controls, and the service organization‘s assertion. Based on this review, the auditor provides an opinion on:

  1. Whether the description is fairly presented.
  2. Whether the controls were suitably designed to achieve the related control objectives.
  3. For a Type 2 report, whether the controls operated effectively over the specified period.

6. User Entity Considerations: The report should also include information that helps user entities (customers of the service organization) understand any complementary user entity controls that are assumed to be in place and any complementary subservice organization controls on which the service organization‘s controls might depend.

How do I prepare for SOC 1?

Determine the Service Organization Controls (SOC) report necessary for the organization. SOC reports come in two types and each one requires different information.

  1. SOC 1 reports review the controls over financial reporting.
  2. SOC 2 reports cover internal controls over data security, availability, processing integrity, confidentiality, and privacy.

Find a CPA firm that aligns to the organization’s needs.

  1. The firm should be well-versed in the organization’s specialization or industry
  2. It should meet the budgetary requirements.
  3. The firm and auditor should have SOC 1 auditing experience.
  4. The firm’s control objectives and related controls should align with end-user needs.

Define the SOC 1 audit scope.

  1. Review the physical location for the audit.
  2. Define the number of locations that will be included in the audit.
  3. Define the audit testing period.
  4. Specify the workforce members who need to be involved during the audit process.

Define the subservice organizations and complementary user entity controls that need to be reviewed as part of the audit.

  1. Review data centers
  2. Cloud service providers
  3. Software-as-a-Service platforms
  4. Catalog all outsourced service providers.

Set control objectives.

  1. Define the internal controls that require review.
  2. Determine the steps necessary for testing.
  3. Define the process owners who need to be involved.
  4. Establish an internal stakeholder who needs to review and respond to the draft report.
  5. Define the stakeholders who must approve the final report.

Is a SOC 1 Checklist Useful?

A SOC 1 checklist can be incredibly useful for several reasons:

  1. Preparation: Before undergoing a SOC 1 audit, a service organization can use a checklist to ensure they have all the necessary documentation and controls in place. This helps in understanding what the auditors will be looking for and ensuring that nothing is overlooked.
  2. Understanding Requirements: A checklist can break down the complex requirements of a SOC 1 audit into manageable and understandable tasks. This can be especially beneficial for organizations that are new to the SOC 1 process.
  3. Efficiency: By using a checklist, organizations can streamline their audit preparation process, ensuring that they address each requirement methodically. This can save time and reduce the risk of missing crucial steps.
  4. Internal Evaluation: Even outside the context of an upcoming audit, a SOC 1 checklist can serve as a tool for internal evaluation. Organizations can use it to periodically assess their internal controls related to financial reporting and identify areas for improvement.
  5. Training Tool: For new employees or team members unfamiliar with the SOC 1 process, a checklist can serve as a training tool, helping them understand the scope and requirements of the audit.
  6. Consistency: If a service organization undergoes SOC 1 audits regularly, a checklist ensures consistency in preparation across different audit cycles.
  7. Stakeholder Communication: A checklist can also be used as a communication tool with stakeholders, such as management or board members, to demonstrate the steps being taken to prepare for the audit and maintain compliance.
  8. Risk Mitigation: By adhering to a comprehensive checklist, organizations can mitigate the risk of unfavorable audit outcomes, such as qualifications or exceptions in the auditor’s report.

While a SOC 1 checklist is a valuable tool, it’s essential to understand that it’s a starting point. The actual preparation for a SOC 1 audit involves a deep understanding of the organization’s processes, controls, and systems. It might also require consultation with professionals or experts familiar with the SOC reporting process.

Types of SOC reports

Under SSAE 18, service organizations can have their controls audited and subsequently receive a Service Organization Control (SOC) report. There are different types of SOC reports (e.g., SOC 1, SOC 2, and SOC 3) that serve different purposes and have different intended audiences.


  •   Type 1 Report: This provides an auditor’s opinion on the fairness of the presentation of the service organization‘s system and the suitability of the design of its controls as of a specific date.
  •   Type 2 Report: This includes everything in a Type 1 report and also includes an opinion on the operating effectiveness of the controls over a specified period, usually 6 to 12 months. It also requires testing of the controls by the auditor.

12 Important Steps to Take for SSAE 18 Compliance

Achieving SSAE 18 compliance, especially for Service Organization Control (SOC) reports, requires a systematic approach. Here are 12 important steps organizations can take to ensure compliance with SSAE 18 standards:

  1. Understand the Requirements: Familiarize yourself with SSAE 18 standards, especially the differences from its predecessor, SSAE 16, to know what’s expected.
  2. Define the Scope: Determine which services, systems, and controls will be included in the audit. Clearly define the boundaries of what will be assessed.
  3. Risk Assessment: Conduct a comprehensive risk assessment to identify potential threats and vulnerabilities that might impact your control objectives.
  4. Document System Descriptions: Provide a detailed description of your organization’s systems, including the types of services provided, how transactions are processed, and other relevant operational details.
  5. Establish Control Objectives: Define clear and specific control objectives that address the risks associated with the services you provide.
  6. Design and Implement Controls: Develop policies, procedures, and controls to achieve your control objectives. Ensure they are consistently applied throughout the organization.
  7. Monitor Subservice Organizations: If you rely on third-party vendors or subservice organizations, establish processes to monitor their controls, especially if they impact your control objectives.
  8. Internal Testing and Evaluation: Before the external audit, test the effectiveness of your controls internally. This helps in identifying and rectifying any potential issues beforehand.
  9. Management’s Written Assertion: Prepare a written assertion from management confirming the fairness and accuracy of the system descriptions, the suitability of the control design, and, for Type 2 reports, the effectiveness of the controls over a specified period.
  10. Engage a Qualified Auditor: Choose an experienced and reputable auditing firm that is familiar with SSAE 18 standards and the specific requirements of the type of SOC report you are pursuing (e.g., SOC 1, SOC 2).
  11. Address Audit Findings: Once the audit is completed, review any findings or recommendations made by the auditors. Address any deficiencies or areas of concern promptly.
  12. Continuous Monitoring and Improvement: SSAE 18 compliance is not a one-time event. Implement a continuous monitoring program to ensure controls remain effective over time and adapt to changes in the business environment.

By following these steps and maintaining a proactive approach to internal controls and risk management, organizations can achieve SSAE 18 compliance and provide stakeholders with valuable assurance regarding the reliability of their operations.

Your SOC 1 SSAE 18 Compliance Checklist

Creating a SOC 1 SSAE 18 checklist can be a helpful tool for organizations preparing for an audit. These can also be incorporated into an audit checklist for a readiness assessment to ensure your business is prepared for an audit. Here’s a general compliance checklist to guide organizations toward SSAE 18 compliance for a SOC 1 report:

1. Understand the Standards:

  • Familiarize yourself with SSAE 18 requirements.
  • Understand the differences between SSAE 18 and its predecessor, SSAE 16.

2. Determine the Scope:

  • Identify which systems, services, and controls will be covered in the audit.
  • Understand the boundaries and parameters of the audit.

3. Conduct a Risk Assessment:

  • Identify potential risks associated with your services.
  • Determine how these risks might impact a user entity‘s financial statements.

4. Document System Descriptions:

  • Detail the services you provide.
  • Describe how transactions are processed.
  • Document other relevant operational and organizational information.

5. Establish Control Objectives:

  • Develop clear control objectives that address identified risks.
  • Ensure objectives are relevant to user entitiesfinancial reporting.

6. Implement Controls:

  • Design controls to meet your control objectives.
  • Document these controls and ensure they are consistently applied.

7. Monitor Third-Party Providers:

  • If you utilize subservice organizations, establish processes to monitor their controls.
  • Understand and document their impact on your control environment.

8. Test Controls Internally:

  • Before the external audit, conduct internal tests on your controls.
  • Address and rectify any identified deficiencies.

9. Prepare Management’s Assertion:

  • Develop a written statement from management confirming the accuracy of system descriptions.
  • Assert the suitability and, for Type 2 reports, the operational effectiveness of controls.

10. Engage an External Auditor:

  • Select a reputable audit firm familiar with SSAE 18 standards.
  • Collaborate with them throughout the audit process.

11. Address External Audit Findings:

  • Review and address any deficiencies or recommendations from the external audit.
  • Implement corrective actions as needed.

12. Maintain Documentation:

  • Keep thorough documentation of all processes, controls, tests, and changes.
  • Update documentation as changes occur in the system or control environment.

13. Continuous Monitoring:

  • Establish a process for ongoing monitoring of controls.
  • Periodically reassess risks and adjust controls as necessary.

14. Stakeholder Communication:

  • Ensure relevant stakeholders are aware of the SOC 1 audit and its implications.
  • Provide them with necessary information and findings from the audit.

Remember, while this checklist provides a general overview, the specifics of each organization’s environment may require additional steps or considerations. It’s essential to consult with professionals familiar with SOC reports and SSAE 18 standards to ensure comprehensive compliance.

Maintain Your Compliance with ZenGRC

Maintaining compliance in today’s rapidly evolving regulatory landscape can be a daunting task for businesses. ZenGRC, with its intuitive interface and robust capabilities, offers a streamlined solution to this challenge. As a cutting-edge Governance, Risk, and Compliance (GRC) platform, ZenGRC enables organizations to manage their compliance requirements efficiently, ensuring they remain up-to-date with changing regulations. Its centralized dashboard provides real-time insights into compliance statuses, while automated workflows reduce manual efforts and potential oversights. By integrating ZenGRC into your compliance strategy, not only can you ensure adherence to regulatory standards, but you can also foster a proactive compliance culture that anticipates and mitigates risks ahead of time.