In today’s digital world, enterprises must prioritize data security and trust. Compliance with industry standards is a critical step toward protecting sensitive information. Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is one of these standards that is critical to guaranteeing data security.

What is SSAE 18 Compliance?

The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is an auditing standard established by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. This standard governs how organizations perform audits on various internal systems and controls.

SSAE 18, previously referred to as SSAE 16 or SAS 70 reports, guides how an audit is performed for Service Organization Controls or System and Organization Controls (SOC) reports. SOC reports are broken down into three versions.

  • SOC 1 reports address an organization’s internal controls around financial reporting;
  • SOC 2 reports address internal controls over data security, availability, processing integrity, confidentiality, and privacy; and
  • SOC 3 reports are a slimmed-down version of SOC 2 reports meant for a service business to circulate publicly to potential customers.

SSAE 18 incorporated enhancements to the SOC 1 reporting protocols, which better align them with the risk assessment requirements of SOC 2 reports.

Additionally, to increase the value and quality of SOC 1 reports, SSAE 18 requires service organizations to identify all sub-service organizations and understand complementary sub-service organization controls. This includes the vendor management process for service organizations to incorporate data centers, cloud infrastructures, Software-as-a-Service (SaaS) platforms, and other vendors.

Learn the Art of Risk
download template

Why Is SSAE 18 Compliance Important?

SSAE 18 provides helpful guidance to organizations and service auditors that must demonstrate information security compliance with regulations such as Sarbanes-Oxley (SOX), PCI, and HIPAA.

All companies that work with customer data — whether PII like names and phone numbers or other sensitive data — should check that their service organization’s systems demonstrate compliance with regulations and non-regulatory standards such as SSAE 18.

To provide superior customer service to clients, organizations such as cloud computing providers or financial services providers should review their business processes over a period of time to ensure their operating effectiveness meets the standards set forth by standards like SSAE 18.

SSAE 18 Requirements at a Glance

To help your organization meet its SSAE 18 requirements, organizations should enlist a Certified Public Accountant (CPA) who understands your business needs.

  • The firm should be well-versed in the organization’s specialization or industry.
  • It should meet your budgetary requirements.
  • The audit firm and specific engagement partner working with you should have SOC 1 auditing experience.
  • The firm’s control objectives and related controls should align with end-user needs.

SSAE 18 Compliance Checklist

Once you’ve enlisted the right CPA to guide your organization, the following checklist can help you prepare to meet SSAE 18 standards and SOC reporting.


Define the scope of your SOC audit.


Review the physical location being audited.


Define the number of additional locations that will be audited.


Determine the audit testing period.


Specify the workforce members who must be involved during the audit process.


Define the sub-service organizations that must be reviewed for the audit.


Review data centers, cloud service providers, and SaaS platforms.


Set your control objectives.


Define the internal controls that require review.


Determine the steps necessary for testing.


Define the process owners who need to be involved.


Establish an internal stakeholder who needs to review and respond to the draft report.


Define the stakeholders who must approve the final report.

Get Ahead of Your Audit Process with GRC expert tips


ROAR Offers an Integrated SSAE 18 Framework Solution

Meeting SSAE 18 standards or achieving certification for a SOC standard requires considerable time and financial resources, particularly for an organization still using legacy tools or spreadsheets to achieve and maintain compliance workflows.

With RiskOptics ROAR, you can adopt best practices while maintaining the flexibility to manage your organization’s unique controls, standardize risk and compliance across your company, and allow for seamless growth without introducing duplication and unintended risk.

Curated by experts and aligned with the Secure Control Framework (SCF) and NIST, the library provides cross-mappings of controls from the SCF, SOC, SSAE 18, NIST CSF, and CIS to many global frameworks.

ROAR automates the evidence-collecting process, saving your team significant time. You may reuse controls and evidence across frameworks while also integrating with the systems on which your firm relies.

With interfaces to cloud providers, code repositories, HR and CRM systems, and other tools, you can avoid manual effort, decrease audit fatigue, and stay on top of your compliance posture and audit readiness.

RiskOptics ROAR SSAE 18 Capabilities

  • User-friendly dashboard with real-time metrics on prioritized risks
  • Pre-built templates can help you with your risk-management audits
  • A central repository for compliance documentation
  • Universal Control Mapping to fulfill multiple security standards with a single control
  • Insight into team members’ progress in fulfilling requirements
  • Tracking functionality for outstanding sub-service provider requirements
Ready to see ZenGRC in action?

Frequently Asked Questions

Not specifically. But any organization legally obligated to submit a System and Organization Controls (SOC) Report — such as a service provider signing a contract with a lucrative customer, where passing a SOC audit is one of the terms — must issue it under the SSAE-18 standard.

An SSAE 18 report is considered a SOC report. Service organizations legally required to submit a SOC report must issue it under the SSAE-18 standard.

SSAE 16 was the previous version of the standard. It was updated in 2017 to SSAE 18.

SSAE 18, previously called SSAE 16 or SAS 70 reports, established a new standard for SOC reports. SSAE 18 incorporated enhancements to the SOC 1 reporting protocols, which better align them to the risk assessment requirements of SOC 2 reports. So, these two frameworks aren’t different, as they go hand-in-hand.

SSAE-18’s key components include the important aspects of defining and structuring attestation engagements, and assuring control system dependability. They are:

  • Control Objectives
  • Control Activities
  • Testing and Evidence
  • Subservice Organizations:

To guarantee a seamless and effective SSAE 18 audit, firms should fully prepare by taking these steps:

  • Internal Assessments (IA): Conduct internal assessments to determine your preparation for the audit. 
  • Control review and validation: Examine and confirm that your processes and controls meet SSAE 18’s control objectives and standards.
  • Assessing preparedness or doing mock audits: To replicate the real audit process, consider performing readiness or simulated audits.