Statement on Standards for Attestation Engagements 18 (SSAE)

Statement on Standards for Attestation Engagements 18

SSAE 18 requires a description of the system at service organizations. Service organizations are now required to effectively choose between SSAE 18(SOC 1, SOC 2 and SOC 3).

SOC 1:

SSAE 18(SOC 1) audit fully supports the objective of continued growth, client confidence, and the ability to serve a broader range of clients, with a proven and very strong return on investment (ROI).

Both SSAE 18 (SOC 1) Type 1 and SSAE 18 (SOC 1) Type 2 reports can be issued depending on the specific requirements and objectives of the service organization. Both report types add value and credibility to a service organizations core activities with the following differences:

1) Type 1 is a report on policies and procedures placed in operation as of a specified point in time.

2) Type 2 is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of time.

SOC 2:

Service Organizations providing services that do not impact their client’s financial reporting, the audit reports will be considered SOC 2 or SOC 3 reports and focus on controls at a service organization relevant to the following Trust Services principles of Security, Availability, Processing Integrity, Confidentiality, Privacy.

SOC 2 reports are restricted use reports to:

1) Management of the service organization (the company who has the SOC 2 performed)

2) User entities of the service organization (customers, regulators, business partners, suppliers, etc.)

SOC 2 reports are also of two types: Type 1 and Type 2 and interpretation is same as mentioned in SOC 1.

SOC 3:

Unlike a SOC 2 report (which is a restricted use report), SOC 3 reports are general use reports, which means upon attainment of an unqualified report, they can be freely distributed or posted on a website as a seal for one full calendar year from the date of issue.

7 key steps for SSAE 18 certification

CUNIX Consultant will have a detailed call with the client to understand the need of the customer for SSAE 18 assessment.

CUNIX Consultant will freeze the scope with the client in terms of Line of Business, No. of locations, No. of people and audit criteria.

CUNIX consultant will visit the client locations for Onsite Audit as per the audit criteria defined in the scope. All the controls will be covered as applied by the client.

This is an offsite activity in which the evidences related to controls will be collected and reviewed.

The initial audit report will be shared with the client for the client review.

If client opts for this service as well then CUNIX consultants will guide the implementation team at client organization on how to fill up those identified gaps in the initial audit report. Gap closure verification will also be conducted.

On completion of consulting activity the final report will be shared with the client.


Full form: Statement on Standards of Attestation Engagements (SSAE)  18 issued by the American Institute of Certified Public Accountants (AICPA).

SSAE 18 audit is conducted by an independent accounting firm to assess internal controls of a service organization. After audit service auditors report (referred to as SSAE 18 reports) and an opinion based on the assessment will be issued.

Service Organization: An organization providing services to other entities, for which these services are likely to be relevant to these other entities’ internal control for financial reporting.

User Organization: An entity that uses the services of the Service Organization.

There are 2 types of reports:

Type 1 report – Report on Controls Placed in Operation: User organizations and their auditors gets limited assurance that the controls of the service organization exist covering the reporting timeframe (also known as the period of review).

Type 2 report – Report on Controls Placed in Operation and Tests of Operating Effectiveness: User organizations and auditors gets information regarding the service organizations controls and that the controls are operating as reported during the period of review.

Although it is not mandated but user organizations, user organization auditors, and other parties may request for SSAE 18 audit to get an understanding of the controls at a service organization.

There are no minimum requirements a service organization must meet to go through a SSAE 16 audit.

The AICPA suggests the period of review, or time frame in which the report covers, to cover at least six months. It is recommended that a report be issued at least annually, allowing the user organizations and user organization auditors to assess the control risk for the financial statement assertions impacted by the services provided by your company.

Reporting on the controls of a service organization with multiple locations is determined by how the individual locations are managed and how the locations fit into the control structure of the company as a whole. If the locations are managed by a central set of policies and procedures and management team, it may be possible to issue a single report covering every location. However, if each location operates under separate procedures and a management team independent of the other locations, separate service audit reports may be required for each location.