The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is an auditing standard established by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. This standard governs the way organizations perform audits on various internal systems and controls.
SSAE 18, previously referred to as SSAE 16 or SAS 70 reports, guides how an audit is performed for Service Organization Controls or System and Organization Controls (SOC) reports. SOC reports are broken down into three versions.
- SOC 1 reports address an organization’s internal controls around financial reporting;
- SOC 2 reports address internal controls over data security, availability, processing integrity, confidentiality, and privacy; and
- SOC 3 reports are a slimmed-down version of SOC 2 reports and are meant for a service business to circulate publicly to potential customers.
SSAE 18 incorporated enhancements to the SOC 1 reporting protocols which better align it to the risk assessment requirements of SOC 2 reports.
Additionally, to increase the value and quality of SOC 1 reports, SSAE 18 requires service organizations to identify all sub-service organizations and understand complementary sub-service organization controls. This includes the vendor management process that service organizations should have in place to incorporate data centers, cloud infrastructures, Software-as-a-Service (SaaS) platforms, and other vendors.
Learn the Art of Risk Management