What is SSAE 18?

SSAE 18, also known as Statement on Standards for Attestation Engagements No. 18, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It recently replaced the previous standard SSAE 16 in May 2017 and introduced several changes and enhancements to meet the evolving needs of the auditing profession. SSAE 18 was designed for service organizations that provide outsourced services and seek to provide assurance to their clients regarding effectiveness of their controls.  

SSAE 18 establishes the requirements and guidance for service auditors when conducting an examination of a service organization’s controls and issuing a report known as a Service Organization Control (SOC) report. These reports are essential for service organizations as they provide valuable information to their clients about the reliability and security of their systems and processes. 

One of the significant changes introduced in the SSAE 18 report is the introduction of the “Description Criteria.” These criteria require the service organization to provide a detailed description of its system and controls in place. This description must include the service organization’s objectives, system boundaries, and the nature and extent of the services provided. This enhanced description helps clients gain a better understanding of the service organization’s objective’s operations and evaluate the suitability of the provided services for their needs.

What is the difference between SSAE 18 and SSAE 16?

Another key aspect of SSAE 18 compliance is the concept of “risk assessment”. The standard requires the service auditor to identify and assess the risks that could affect the achievement of the service organization’s objectives. The risk assessment helps the auditor determine the appropriate controls to test and evaluate during the examination. It also assists the service organization in identifying areas where they need to strengthen their controls to mitigate risks effectively. 

Subservice organizations

SSAE 18 also emphasizes the importance of “subservice organizations.” Service organizations often rely on other organizations to perform certain functions on their behalf. These organizations are called subservice organizations. The standard requires the service organization to evaluate and disclose the risks associated with subservice organizations. If the subservice organization’s controls are relevant to the services being provided, the service organization needs to obtain a SOC report from the subservice organization or perform additional procedures to obtain sufficient assurance. 

Written assertion

The concept of “written assertion” is another essential component of SSAE 18. The service organization is required to provide a written assertion to the service auditor, affirming the fairness and accuracy of the description of the systems and controls. This written assertion strengthens the accountability of the service organization and provides additional confidence to the clients and stakeholders. 


SOC reports

SOC Reports include SOC 1, SOC 2 and SOC 3. The SSAE 18 assessment also includes two types of SOC reports: Type 1 and Type 2. A Type 1 report provides an opinion on the design of the controls at a specific point in time, while a Type 2 report includes an opinion on the operational effectiveness of the controls over a period of time, typically six months or more. The choice between Type 1 and Type two depends on the clients needs and the nature of the services being provided. 

In summary, SSAE 18 is a standard that provides guidelines for service auditors when examining the controls of a service organization. It emphasizes the importance of risk assessment, through system description, evaluation of subservice organizations, written assertions, and the issuance of SOC reports. These changes enhance the transparency, reliability, and consistency of the auditing process, providing clients with valuable information to make informed decisions regarding their service providers.