SSAE 18 is often mentioned in conversations around vendor due diligence, third-party risk assessments, and internal control evaluations — but what exactly does it mean, and why should your business pay attention?
Formally known as the Statement on Standards for Attestation Engagements No. 18, SSAE 18 is a professional standard issued by the American Institute of Certified Public Accountants (AICPA). It defines how auditors should assess and report on a service organization’s internal controls, especially those that may impact a client’s financial reporting or data security posture.
Why does this matter? Because most businesses today rely heavily on third-party providers — whether it’s for cloud infrastructure, payment processing, or HR platforms. SSAE 18 ensures there’s a consistent, rigorous process for evaluating the controls these service providers have in place.
If your organization offers services that involve customer data, or if you rely on external vendors to handle critical operations, understanding SSAE 18 is not optional—it’s essential.
What is SSAE 18?
At its core, SSAE 18 defines how independent auditors evaluate and report on internal controls within service organizations. It’s not about what controls should exist, but rather how the audit process should be carried out to assess them—with consistency, accuracy, and accountability. This makes SSAE 18 especially relevant for organizations that provide services impacting their clients’ financial data or operational security.
This standard replaced SSAE 16 in 2017 and introduced several important updates. While SSAE 16 focused primarily on financial reporting, SSAE 18 broadened the scope by emphasizing third-party risk management, requiring more rigorous oversight of subservice providers, and strengthening the overall control environment.
It’s important to note that SSAE 18 itself doesn’t generate a report. Rather, it governs the process used to produce reports—specifically SOC 1, SOC 2, and SOC 3. In other words, when a service provider undergoes a SOC 2 audit, the methodology behind that audit is guided by SSAE 18.
Think of SSAE 18 as the rulebook for how SOC reports are prepared. It ensures consistency, reliability, and transparency — which are all critical when organizations need to demonstrate the strength of their internal controls to clients, regulators, or partners.
SSAE 18 vs SOC 1, SOC 2, and SOC 3—what’s the connection?
SSAE 18 and SOC reports often get mentioned in the same breath, but they aren’t interchangeable. SSAE 18 is the attestation standard that governs how SOC 1, SOC 2, and SOC 3 reports are conducted — it provides the criteria auditors use when evaluating and reporting on internal controls.
Here’s how it breaks down:
- SOC 1 reports evaluate internal controls relevant to a client’s financial reporting. These controls are typically important for organizations like payroll processors or financial services providers.
- SOC 2 reports assess controls related to trust service criteria—such as security, availability, processing integrity, confidentiality, and privacy. These are most common in tech and SaaS companies where customer data security is critical.
- SOC 3 reports are similar to SOC 2, but they’re designed for broader public distribution. While a SOC 2 report is detailed and intended for stakeholders under NDA, a SOC 3 is more high-level and can be published on your website.
All three reports are conducted under the SSAE 18 standard. So, if your company undergoes a SOC 2 Type II audit, the methodology behind that audit is grounded in the principles and requirements laid out in SSAE 18.
In short, SSAE 18 provides the structure and expectations. SOC reports are the outcome. One sets the rules; the other delivers the results.
Key requirements under SSAE 18
SSAE 18 introduced more rigor and accountability into the attestation process by tightening expectations around internal controls, especially those related to vendor relationships and risk oversight. If your organization is preparing for a SOC audit governed by SSAE 18, here are the core requirements you’ll need to keep in mind:
1. Risk assessment and documentation
Organizations are expected to identify and document the risks associated with their services—especially risks that could impact their customers. This involves understanding where controls may fall short and how those gaps are being addressed.
2. Oversight of subservice organizations
SSAE 18 places significant emphasis on monitoring third-party vendors (also called subservice organizations). If you’re relying on external partners to deliver critical services or infrastructure, you must demonstrate how you’re managing those dependencies—often through mechanisms like the carve-out or inclusive method in SOC reports.
3. Ongoing monitoring activities
It’s not enough to implement controls and walk away. SSAE 18 requires evidence of ongoing monitoring—this includes regular reviews, audits, exception reporting, and any corrective actions taken over time.
4. Management’s written assertion
As part of the process, your leadership must provide a written assertion confirming that the described controls were in place and operating effectively during the audit period. This assertion forms the basis of the auditor’s opinion.
5. Focused internal control environment
Whether you’re undergoing a SOC 1 or a SOC 2 audit, the controls must be appropriately designed and consistently applied. SSAE 18 expects clear documentation and operational discipline here.
Challenges faced in SSAE 18 compliance and how Scrut helps solve them
While SSAE 18 offers a structured approach to evaluating internal controls, the road to a successful audit isn’t always smooth. Many organizations—especially those navigating their first SOC engagement—run into a few common challenges along the way.
Challenge 1: Identifying the right scope
One of the first hurdles is figuring out what systems, processes, and controls should be included. Misjudging the scope—either too narrow or too broad—can lead to missed controls, wasted effort, or irrelevant findings.
Scrut’s guided workflows help you define your audit scope based on your business model, tech stack, and reporting goals—so you’re not guessing what’s in or out.
Challenge 2: Distinguishing subservice providers
Organizations often struggle to correctly identify which vendors qualify as subservice providers under SSAE 18. Failing to account for them—or not clarifying responsibilities—can raise audit flags and delay the reporting process.
With a centralized vendor inventory and tagging system, Scrut makes it simple to identify and track subservice providers, assign control responsibilities, and manage carve-out vs. inclusive decisions.
Challenge 3: Gaps in control design or documentation
Even if the actual practices are sound, a lack of formal documentation (e.g. missing policies, inconsistent procedures, untracked approvals) can make it hard to demonstrate control effectiveness. Remember, if it’s not documented, it doesn’t exist—at least in the auditor’s eyes.
Scrut provides 1400+ pre-built, auditor-vetted control templates and policy documents that align with SSAE 18 expectations. No more starting from scratch or reinventing best practices.
Challenge 4: Evidence collection overload
Collecting evidence to prove that controls are working—across departments, tools, and time periods—can be overwhelming. Especially for SOC 2 Type II audits, where controls are evaluated over months, manual tracking often leads to errors or gaps.
Scrut connects with your existing tools (e.g., AWS, Okta, Jira, GitHub) to auto-collect evidence—reducing manual effort, improving accuracy, and saving hours of back-and-forth during audits.
Challenge 5: Cross-functional coordination
Compliance isn’t just an IT or security problem. HR, finance, legal, and engineering teams all have a role to play. Getting buy-in across functions and aligning everyone to audit timelines is a major pain point—particularly in fast-moving teams.
Assign controls, set deadlines, and track tasks across teams using Scrut’s intuitive dashboards. Everyone knows their role—and nothing falls through the cracks.
Challenge 6: Managing control ownership
It’s common to discover that no single person is clearly responsible for certain controls. Without defined ownership, issues can fall through the cracks—especially when a control needs to be updated, monitored, or explained to auditors.
Each control in Scrut is assigned an owner, so responsibilities are transparent and action items don’t get lost in the shuffle.
Challenge 7: Staying audit-ready year-round
SSAE 18 expects continuous oversight—not just a one-time show for auditors. Many teams struggle to maintain control hygiene after the audit period ends, which makes future audits harder and increases the risk of control failure.
With continuous monitoring, Scrut helps you stay audit-ready year-round—not just during the reporting window. That means fewer surprises, better security, and a smoother audit experience every time.
What to expect during an SSAE 18 audit
Going through an SSAE 18-based audit—like a SOC 1 or SOC 2—isn’t just about handing over a few documents and waiting for a report. It’s a collaborative, evidence-driven process that requires preparation, participation, and ongoing communication.
Here’s what the engagement typically involves:
1. Scoping discussions
The process usually begins with defining the scope: What systems, processes, and control objectives are in play? Are you aiming for a SOC 1 or SOC 2? Type I or Type II? The scope will determine how extensive the audit is and what kind of evidence you’ll need to provide.
2. Control identification and readiness assessment
Before the formal audit kicks off, many organizations go through a readiness phase. This involves identifying existing controls, spotting any gaps, and remediating issues in advance. A good auditor will help you understand where you stand—and what needs to be tightened up.
3. Evidence collection
During the audit, the assessor will request documentation and evidence to support the design and operating effectiveness of your controls. This could include access logs, policy documents, onboarding checklists, vendor monitoring records, incident reports, and more.
4. Walkthroughs and interviews
Auditors may conduct walkthroughs or interviews with key personnel to validate that your controls aren’t just documented—they’re actually being followed. Expect questions about processes, exceptions, escalation paths, and monitoring practices.
5. Report delivery
At the end of the process, the auditor will issue a report (SOC 1, SOC 2, or SOC 3), depending on your engagement type. This report includes their opinion on the effectiveness of your controls, management’s written assertion, and detailed descriptions of the control environment.
6. Continuous improvement
A SOC 2 Type II, for example, covers a reporting period (usually 3–12 months), meaning you’ll need to maintain—and improve—your controls continuously. Many organizations use their first SSAE 18 engagement as a baseline and mature their program over time.
Common misconceptions about SSAE 18
Despite being around for a few years, SSAE 18 is still often misunderstood—especially by those encountering it for the first time. Let’s clear the air on a few common myths:
1. “SSAE 18 is a certification.”
Not quite. SSAE 18 is a standard—and it governs attestation engagements, not certifications. When your organization completes a SOC 2 audit, for example, you don’t get “certified.” Instead, you receive a report issued by an independent auditor based on SSAE 18 guidelines. That’s an important distinction.
2. “Only financial institutions need to worry about SSAE 18.”
While SOC 1 reports (governed by SSAE 18) focus on controls relevant to financial reporting, SOC 2 and SOC 3 reports cover security, availability, confidentiality, and more. That makes SSAE 18 highly relevant for tech companies, SaaS providers, healthcare platforms, and virtually any business handling sensitive customer data—particularly those offering cloud-based services or processing customer information on behalf of other organizations, where SOC 2 certification is often expected.
3. “If I have a SOC 2 report, I’m automatically compliant with other frameworks.”
Not exactly. A SOC 2 report helps demonstrate good security practices, but it doesn’t mean you’re compliant with regulations like GDPR or HIPAA. That said, many of the controls assessed under SSAE 18 do align with broader security and privacy expectations—which can give you a strong head start.
4. “SSAE 18 only applies to service providers.”
Mostly, yes—but not exclusively. If you’re using third-party vendors and those vendors handle sensitive operations or data, your due diligence process will likely require reviewing their SOC reports. So even if you’re not undergoing the audit yourself, SSAE 18 still plays a role in your vendor risk management.
How Scrut helps you with SSAE 18?
Scrut helps you stay ahead of SSAE 18 requirements without the manual overhead. With centralized dashboards for control monitoring, built-in expert guidance, and a Trust Vault to share reports securely with customers, you get everything you need to manage audits efficiently—and build trust while you’re at it.
Whether you’re preparing for your first audit or scaling an existing program, Scrut adapts to your workflow and keeps you in control.
FAQs
What’s the difference between SSAE 18 and SOC 2?
SSAE 18 is the attestation standard that governs how SOC 2 reports are conducted. SOC 2 is the actual report you receive after an audit; SSAE 18 defines how that audit should be performed.
What are the factors while selecting an SSAE 18 audit firm?
- Experience with your industry and business model
- A clear understanding of SOC 1 or SOC 2 requirements
- Ability to guide you through scope definition and readiness
- Support for both Type I and Type II reports
- Collaborative approach during evidence collection and review
- Strong communication and responsiveness throughout the audit
Why is SSAE 18 compliance essential for modern businesses?
SSAE 18 compliance signals that your internal controls are not only well-designed but independently verified—which builds trust with customers, partners, and regulators. It also helps you navigate due diligence, reduce vendor risk, and strengthen your overall compliance posture in a connected, service-driven ecosystem.
Do all vendors need to be included in a SOC 2 audit?
Not all. Only those vendors that qualify as subservice providers—meaning they directly impact your system of controls—need to be evaluated or disclosed in the report.
Can SSAE 18 help with other compliance frameworks?
Yes. Many SSAE 18-aligned controls overlap with other standards and regulations like ISO 27001, NIST, GDPR, and HIPAA. While it’s not a one-to-one match or a guarantee of compliance, it provides a strong operational foundation you can build on to meet multiple requirements.
What’s the difference between ISAE 3402 and SSAE 18?
ISAE 3402 is the international standard for assurance reports on service organizations, issued by the IAASB. SSAE 18 is the U.S. equivalent, issued by the AICPA. Both serve a similar purpose—evaluating internal controls—but are used in different regulatory and geographic contexts. If you’re working with international clients, you may be asked for an ISAE 3402 report instead of (or in addition to) a SOC 1 under SSAE 18.
Megha Thakkar has been weaving words and wrangling technical jargon since 2018. With a knack for simplifying cybersecurity, compliance, AI management systems, and regulatory frameworks, she makes the complex sound refreshingly clear. When she’s not crafting content, Megha is busy baking, embroidering, reading, or coaxing her plants to stay alive—because, much like her writing, her garden thrives on patience. Family always comes first in her world, keeping her grounded and inspired.
