Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

Statement on Standards for Attestation Engagements (SSAE) No. 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Specifically, SSAE 18 is an attestation standard geared towards addressing engagements conducted by practitioners (known as "service auditors") on service organizations for purposes of reporting on the design of controls and their operating effectiveness. As such, SOC 1 SSAE 18 engagements conducted by service auditors on service organizations will result in the issuance of either a SSAE 18 Type 1 or Type 2 Report.

A Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as a SOC 1 SSAE 18 Type 1 report.

Regarding a Type 2 Report, it is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls", or simply known as a SOC 1 SSAE 18 Type 2 report.

A Much Needed Change for Reporting on Intenal Controls

SSAE 18 has effectively replacing SSAE 16 (and before that, SAS 70) as the primary standard for reporting on controls at service organizations. SAS 70, an auditing standard put forth in 1992 by the AICPA, has been a highly valuable and globally accepted framework and one that has been amended a number of times for helping keep pace with the growing changes in regulatory compliance. Even so, limitations within the SAS 70 framework prompted the Auditing Standards Board of the AICPA to put forth a new standard, one with an "attest" function, and one that closely mirrors the international standard on reporting on controls at service organizations - ISAE 3402.

The Emergence of SOC 2 Audits

Service organizations should not be alarmed that SSAE 18 is replacing SSAE 16 as the primary standard for issuing SOC 1 reports, primarily because many of the requirements and overall elements within SSAE 18 are essentially similar to that of SSAE 16, with some notable exceptions.  Consistent with SSAE 16, SSAE 18 will require that that  management provide the service auditor with a (1).Description of the service organization's "system" along with (2). a written assertion. Also, keep mind that SOC 2 audits are now becoming widespread in terms of use and adoption, particularly for technology oriented companies.  While SOC 1 (SSAE 16/SSAE 18) reports focus on internal controls relating to financial reporting, SOC 2 audits are geared towards the likes of data centers, ISPs, SaaS/cloud computing vendors, etc. It's a much needed change in service organization control reporting, so continue to expect tremendous growth for SOC 2 audits.

Talk to the SOC 1 and SOC 2 Compliance Experts Today at NDNB

Today’s regulatory compliance landscape can be extremely expensive and demanding, and that’s exactly why service organizations all throughout North America are turning to the proven, trusted professionals at NDNB. We offer a complete line of services and solutions, ranging from readiness assessments to policy writing, remediation, along with performing SOC 1 (SSAE 16/SSAE 18), SOC 2, and SOC 3 audits, along with any other compliance assessments your business requires.  To learn more about NDNB's SOC 1 (SSAE 16/SSAE 18) and SOC 2 services, along with obtaining a fixed-fee proposal, contact us today, or speak directly with Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view

Since 2006, NDNB has been setting the standard for security & compliance regulations