As part of Service Organization Controls (SOC) reporting, organizations need to engage in the audit process. The SSAE 18 audit standard, superseding the SSAE 16 which had replaced the SAS 70, is a formalized auditing standard designed by the American Institute of Certified Public Accountants (AICPA).

Service organizations that need either a SOC 1 or SOC 2 report must meet the requirements the auditing standard requirements. SOC 1 reports cover internal controls over financial reporting. SOC 2 reports, sometimes referred to as System and Organization (SOC) Reports, review internal controls over data security, availability, processing integrity, confidentiality, and privacy.

To increase the usefulness and consistency of these audit reports, the SSAE 18 standard incorporated a series of enhancements that included a risk analysis of subservice organizations (vendors) and an annual risk assessment process.

The increased use of third-party business partners means that organizations who need to engage in SOC reporting now need to review information security controls governing their data centers, cloud infrastructures, Software-as-a-Service platforms, and other outsourced vendors.