What is SSAE 18 Compliance?

The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is an auditing standard established by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. This standard governs the way organizations perform audits on various internal systems and controls.

SSAE 18, previously referred to as SSAE 16 or SAS 70 reports, guides how an audit is performed for Service Organization Controls or System and Organization Controls (SOC) reports. SOC reports are broken down into three versions.

  • SOC 1 reports address an organization’s internal controls around financial reporting;
  • SOC 2 reports address internal controls over data security, availability, processing integrity, confidentiality, and privacy; and
  • SOC 3 reports are a slimmed-down version of SOC 2 reports and are meant for a service business to circulate publicly to potential customers.

SSAE 18 incorporated enhancements to the SOC 1 reporting protocols which better align it to the risk assessment requirements of SOC 2 reports.

Additionally, to increase the value and quality of SOC 1 reports, SSAE 18 requires service organizations to identify all sub-service organizations and understand complementary sub-service organization controls. This includes the vendor management process that service organizations should have in place to incorporate data centers, cloud infrastructures, Software-as-a-Service (SaaS) platforms, and other vendors.

Learn the Art of Risk
download template

Why Is SSAE 18 Compliance Important?

SSAE 18 provides helpful guidance to organizations and service auditors that are required to demonstrate information security compliance with regulations such as Sarbanes-Oxley (SOX), PCI, and HIPAA.

All companies that work with customer data — whether it be PII like names and phone numbers or other sensitive data — should check that their service organization’s systems demonstrate both compliance with regulations and non-regulatory standards such as SSAE 18.

To provide superior customer service to clients, organizations such as cloud computing providers or financial services providers should review their business processes over a period of time to assure their operating effectiveness meets the standards set forth by standards like SSAE 18.

SSAE 18 Requirements at a Glance

To help your organization meet its SSAE 18 requirements, organizations should enlist a certified public accountant (CPA) that understands your business needs.

  • The firm should be well-versed in the organization’s specialization or industry
  • It should meet your budgetary requirements
  • The audit firm and specific engagement partner working with you should have SOC 1 auditing experience.
  • The firm’s control objectives and related controls should align with end-user needs.

SSAE 18 Compliance Checklist

Once you’ve enlisted the right CPA to guide your organization, the following checklist can help you get started preparing to meet SSAE 18 standards as well as SOC reporting.


Define the scope of your SOC audit.


Review the physical location being audited.


Define the number of additional locations that will be audited.


Determine the audit testing period.


Specify the workforce members who need to be involved during the audit process.


Define the sub-service organizations that need to be reviewed as part of the audit.


Review data centers, cloud service providers, and SaaS platforms.


Set your control objectives.


Define the internal controls that require review.


Determine the steps necessary for testing.


Define the process owners who need to be involved.


Establish an internal stakeholder who needs to review and respond to the draft report.


Define the stakeholders who must approve the final report.

Get Ahead of Your Audit Process with GRC expert tips


RiskOptics Has Your SSAE 18 Framework Solution

Meeting SSAE 18 standards or achieving certification for a SOC standard requires considerable investment in time and financial resources, particularly for an organization still using legacy tools or spreadsheets to achieve and maintain compliance workflows.

At RiskOptics, our Risk Insiders can help you prepare your organization to meet SSAE 18 compliance standards and SOC certification program, expedite the process, and minimize the burden on your team.

RiskOptics ROAR is an efficient solution to continuous compliance. Businesses don’t have to worry about their compliance and cybersecurity stance because ROAR monitors it over the entire lifecycle and keeps up with the latest data protection regulations and requirements.

RiskOptics ROAR SSAE 18 Capabilities

  • User-friendly dashboard with real-time metrics on prioritized risks
  • Pre-built templates can help you with your risk-management audits
  • A central repository for compliance documentation
  • Universal Control Mapping to fulfill multiple security standards with a single control
  • Insight into team member progress at fulfilling requirements
  • Tracking functionality for outstanding sub-service provider requirements
Ready to see ROAR in action?

Frequently Asked Questions

Not specifically. But any organization legally obligated to submit a System and Organization Controls (SOC) Report — such as a service provider signing a contract with a lucrative customer, where passing a SOC audit is one of the terms — must issue it under the SSAE-18 standard.

An SSAE 18 report is actually considered a SOC report. Service organizations that are legally required to submit a SOC report must issue it under the SSAE-18 standard.

SSAE 16 was the previous version of the standard. It was updated in 2017 to SSAE 18.

SSAE 18, previously referred to as SSAE 16 or SAS 70 reports, established a new standard for SOC reports. SSAE 18 incorporated enhancements to the SOC 1 reporting protocols which better align it to the risk assessment requirements of SOC 2 reports. So these two frameworks aren’t different, as much as they go hand-in-hand.