Defined loosely as an engagement to issue an examination, review, or procedures report on a subject matter, an attest engagement encompasses more review than audit reports.

SSAE 18, in superseding the SSAE 16, established a new standard for Service Organization Controls (SOC) reports. SOC 1 reports focus on an organization’s controls over financial reporting. SOC 2 reports focus on internal controls over data security, availability, processing integrity, confidentiality, and privacy.

SSAE 18 incorporated a series of enhancements to the SOC 1 reporting process that better aligned it to the risk assessment required in SOC 2 reports. To increase the usefulness and quality of of SOC 1 reports, the SSAE 18 requires service organizations to identify all subservice organizations and understand complementary subservice organization controls.

As part of the subservice organization review, or vendor management process, service organizations need to incorporate data centers, cloud infrastructures, Software-as-a-Service platforms, and other outsourced vendors.