In today’s digital world, enterprises must prioritize data security and trust. Compliance with industry standards is a critical step toward protecting sensitive information. Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is one of these standards that is critical to guaranteeing data security.
What is SSAE 18 Compliance?
The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is an auditing standard established by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. This standard governs how organizations perform audits on various internal systems and controls.
SSAE 18, previously referred to as SSAE 16 or SAS 70 reports, guides how an audit is performed for Service Organization Controls or System and Organization Controls (SOC) reports. SOC reports are broken down into three versions.
- SOC 1 reports address an organization’s internal controls around financial reporting;
- SOC 2 reports address internal controls over data security, availability, processing integrity, confidentiality, and privacy; and
- SOC 3 reports are a slimmed-down version of SOC 2 reports meant for a service business to circulate publicly to potential customers.
SSAE 18 incorporated enhancements to the SOC 1 reporting protocols, which better align them with the risk assessment requirements of SOC 2 reports.
Additionally, to increase the value and quality of SOC 1 reports, SSAE 18 requires service organizations to identify all sub-service organizations and understand complementary sub-service organization controls. This includes the vendor management process for service organizations to incorporate data centers, cloud infrastructures, Software-as-a-Service (SaaS) platforms, and other vendors.