SOC 1 (SSAE 16/SSAE 18) engagements undertaken by a service auditor are to be done so for the purposes of reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting. In simpler terms, SSAE 18 reports, much like the now historical SSAE 16 auditing standard, are focused on internal controls over financial reporting. The SSAE 18 standard has been very clear from the onset in describing the scope of this type of engagement for purposes of reporting and preparing SOC 1 SSAE 18 Type 1 and Type 2 reports. Thus, practitioners should perform an alternative engagement under AT section 101, Attest Engagements, when reporting on controls other than those related to internal control over financial reporting.
SOC 1 (SSAE 16/SSAE 18), ISAE 3402 and SOC 2 Reports - A Natural Evolution
With that said, however, the SSAE 16 standard, put forth by the Auditing Standards Board (ASB) of the AICPA, does clearly state that controls “likely” to be relevant to user entities’ internal control over financial reporting are to be included in the scope of an SSAE Type 1 or Type 2 engagement for purposes of reporting on controls. The “likely” phrase seems to provide the flexibility for including controls as needed for SSAE 16 reports.
The Birth of ISAE 3402 - European SSAE 16 Equivalent