Statement on Standards for Attestation Engagements (SSAE) No. 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, SSAE 18 is an attestation standard geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness. As such, SOC 1 SSAE 18 engagements conducted by service auditors on service organizations will result in the issuance of either a SSAE 18 Type 1 or Type 2 Report.
A Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as a SOC 1 SSAE 18 Type 1 report.
A Much Needed Change for Reporting on Intenal Controls
SSAE 18 has effectively replacing SSAE 16 (and before that, SAS 70) as the primary standard for reporting on controls at service organizations. SAS 70, an auditing standard put forth in 1992 by the AICPA, has been a highly valuable and globally accepted framework and one that has been amended a number of times for helping keep pace with the growing changes in regulatory compliance. Even so, limitations within the SAS 70 framework prompted the Auditing Standards Board of the AICPA to put forth a new standard, one with an "attest" function, and one that closely mirrors the international standard on reporting on controls at service organizations - ISAE 3402.
The Emergence of SOC 2 Audits
Talk to the SOC 1 and SOC 2 Compliance Experts Today at NDNB