What Is SSAE 18, and How Does it Relate to SOC Reports?

SSAE 18 featured

Most organizations have at least heard of SOC reports. Published and administered by the American Institute of Certified Professional Accountants (AICPA), the SOC umbrella of attestations helps organizations demonstrate adherence to best practices around data privacy, cybersecurity, risk assessment and financial reporting. 

Since SOC requirements come directly from the AICPA, the organization releases documents pertaining to guidance for audits and compliance. One of the primary documents for SOC compliance is Statement on Standards for Attestation Engagements no. 18 (SSAE 18). 


What Is the History of SSAE 18?

SSAE 18 comes at the tail end of nearly two decades of developing cybersecurity and financial reporting requirements. The AICPA, working within several industry requirements and government regulations, releases special publications to help SOC auditors and assessed organizations understand just what exactly goes into attestation. 

The history of SSAE 18 can be traced back to the early 1990s:

  • Statement on Auditing Standards 70 (SAS 70): Released in 1992, this document provides essential guidance for auditing financial statements for organizations working with a subservice organization in a way that affects reporting. 
  • COSO Internal Control Integrated Framework: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a group of private sector businesses that have come together to support efforts on combating fraud. While not an AICPA publication, this framework is a critical step in financial reporting that has a massive impact on the industry. 
  • SAS 78: Released in 1995, this document amends SAS 55 to create a general standard for internal reporting control structures that integrates definitions from COSO.
  • International Standard for Assurance Engagements (ISAE) 3402: this document, published in 2009, this standard defines protocols for “assurance engagements” (audits) pertaining to financial reporting controls. 
  • SSAE 16: This document combined knowledge from previous documents and, in 2010, superseded SAS 70 as a framework for auditing financial reporting controls. It is also more closely aligned with the Sarbanes-Oxley Act (SOX) requirements. Finally, the release of this document replaced examination reports dictated in SAS 70 with SOC reports. 
  • Trust Services Criteria: The AICPA released additional criteria for audits, defining the 5 Trust Services Criteria (Security, Confidentiality, Availability, Processing Integrity and Privacy) that align with the COSO control framework. 
  • SSAE 18: Published in 2016 and implemented the next year, this document clarifies overall compliance requirements and unifies previous guidelines under a single standard. 


What Is in SSAE 18?


The documentation of the AICPA in regard to SSAE 18 states that it is a codification and clarification of previous SSAE documents. While this seems a bit vague, the core takeaway from these statements is that the AICPA meant SSAE 18 to take the disparate guidelines from various papers and streamline them into a single approach. 

This approach’s heart is the concept of an “attestation engagement.” Such an engagement is similar to an audit. However, this audit isn’t like other, more cookie-cutter regulations. Instead, the attestation requires that an organization report as to their infrastructure–what they’ve implemented, how it works and how they meet SSAE 18 requirements. The assessor then inspects the relevant controls to verify this is the case. 

SSAE 18 focuses specifically on implementing financial reporting controls, including guaranteeing the transparency, accuracy and security of those reports. The primary change from SAS 70 is that SSAE requires more stringent reporting requirements, including adding management assertion statements, evolved system descriptions and expanded requirements for attestations for a given time period. 

The assertion is important to this assessment: it is a document that is guaranteed by organizational management that attests to the state of the system as compliant with SSAE 18. Management must have a “reasonable basis” to support their system assertions. Management must implement formal, documented monitoring processes and conduct annual risk assessments to provide such a basis. 

Furthermore, SSAE 18 also defines relevant approaches to managing third-party reporting controls integrated within your system, including the potential for carve-out or integrated reporting. 

Finally, and simply put, SSAE 18 is essentially a SOC 1 audit report. It defines two different types of SOC 1 attestation reports:

  • Type I: These reports on the design of controls as they are put into operation and a single point in time. 
  • Type II: These reports focus on both the design and testing of controls over a period of time, usually six months.


Streamline SSAE SOC 1 and SOC 2 Attestation with Continuum GRC

SSAE 18 attestation takes accurate, straightforward reporting alongside understanding how best practices, forms, and assessments play a role in your regular business operations. Continuum GRC streamlines SSAE SOC 1 and SOC 2 assessment by removing the need for manual compliance monitoring and stone-age tools, bringing together automation and cloud services to simplify audits. 


Are You Preparing for SSAE 18 Audits?

Call Continuum GRC at 1-888-896-6207 or complete the form below.

Continuum GRC