What is SSAE 18?
What is SSAE 18?
SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the professional standard issued by the AICPA that governs how attestation engagements, including SOC 1, SOC 2, and SOC 3 examinations, are performed in the United States. It provides the authoritative guidance that service auditors must follow when conducting these engagements.
Background and history
SSAE 18 replaced SSAE 16 in May 2017. The update introduced several important changes:
- Risk assessment requirements — auditors must perform a formal risk assessment as part of planning the engagement
- Monitoring of subservice organizations — organizations that use subservice providers (such as cloud hosting providers) must demonstrate monitoring of those providers' controls
- Written assertion — management must provide a written assertion about the effectiveness of their controls
- Clarified engagement standards — the standard consolidated and clarified previous attestation guidance
These changes strengthened the rigor of SOC engagements and aligned US attestation standards more closely with international practices.
How SSAE 18 relates to SOC reports
SSAE 18 is the umbrella standard under which SOC reports are issued:
- SOC 1 — examines controls relevant to user entities' financial reporting (performed under AT-C Section 320)
- SOC 2 — examines controls related to security, availability, processing integrity, confidentiality, and privacy (performed under AT-C Section 205)
- SOC 3 — a general-use version of SOC 2 with a shortened report format
The standard defines the auditor's responsibilities, the required elements of the report, and the criteria for issuing opinions.
Key requirements under SSAE 18
Organizations undergoing SOC engagements should understand several key requirements:
- Management's assertion — the organization's management must formally assert that their system description is accurate and that controls are suitably designed (and operating effectively for Type II)
- Subservice organization oversight — if the organization relies on third-party providers (such as AWS, Azure, or a data center), it must demonstrate how it monitors those providers' controls
- System description — the organization must prepare a detailed description of its system, including infrastructure, software, people, procedures, and data
- Control environment — the organization must maintain a defined control environment with clear ownership and accountability
Subservice organizations
One of the most significant aspects of SSAE 18 is the treatment of subservice organizations. Companies can present subservice organizations in their SOC report using one of two methods:
- Inclusive method — the subservice organization's controls are included within the scope of the report
- Carve-out method — the subservice organization's controls are excluded from scope, and the report notes that certain controls are the responsibility of the subservice organization
Most organizations use the carve-out method, referencing their cloud provider's own SOC 2 report as complementary evidence.
Why SSAE 18 matters
Understanding SSAE 18 helps organizations prepare more effectively for SOC engagements. It sets expectations for what auditors will require and what management must provide. Organizations that are unfamiliar with these requirements often face delays and additional costs during the audit process.
For buyers reviewing SOC 2 reports, understanding that the report was issued under SSAE 18 provides confidence that it meets a rigorous professional standard.
How episki helps
episki structures your compliance program to align with SSAE 18 requirements, including system description preparation, subservice organization tracking, and management assertion documentation. This ensures your organization is audit-ready when the service auditor begins their engagement. Learn more on our SOC 2 compliance page.
