SOC 1 (SSAE 16/SSAE 18) engagements undertaken by a service auditor are to be done so for the purposes of reporting on controls at service organizations that provide services to user entities, and for which the controls are likely to be relevant to user entities’ internal control over financial reporting. In simpler terms, SSAE 18 reports, much like the now historical SSAE 16 auditing standard, are focused on internal controls over financial reporting. The SSAE 18 standard has been very clear from the onset in describing the scope of this type of engagement for purposes of reporting and preparing SOC 1 SSAE 18 Type 1 and Type 2 reports. Thus, practitioners should perform an alternative engagement under AT section 101, Attest Engagements, when reporting on controls other than those related to internal control over financial reporting.

SOC 1 (SSAE 16/SSAE 18), ISAE 3402 and SOC 2 Reports - A Natural Evolution

In years past, the now defunct SAS 70 auditing standard, and the now defunct SSAE 16 auditing standard, became heavily used in ways it was never really intended for. As a report that was originally designed for auditor to auditor use (service auditor providing it to the user auditor), it quickly became an auditing framework used to report on controls outside the scope of financial reporting, with many businesses obtaining SAS 70 Type I and Type II and SSAE 16 Type 1 and Type II compliance for marketing and business development reasons. With SSAE 18 superseding SAS 70 and SSAE 16, its seems plausible that service organizations and other interested parties will continue to obtain third-party validation for reporting on controls, with SSAE 16 or possibly ISAE 3402 being that mechanism. A report issued under the framework of AT section 101, Attest Engagements, may be the logical choice for many entities, thus, SOC 2 Type 1 and SOC 2 Type 2 reports are growing in terms of use, acceptance, and recognition. 

With that said, however, the SSAE 16 standard, put forth by the Auditing Standards Board (ASB) of the AICPA, does clearly state that controls “likely” to be relevant to user entities’ internal control over financial reporting are to be included in the scope of an SSAE Type 1 or Type 2 engagement for purposes of reporting on controls. The “likely” phrase seems to provide the flexibility for including controls as needed for SSAE 16 reports. 

The Birth of ISAE 3402 - European SSAE 16 Equivalent

And if practitioners find any limitations with the SSAE 18 standard, they have the option of utilizing the ISAE 3402 standard, which states the following: “…determination of whether controls at a service organization related to operations and compliance are likely to be relevant to user entities’ internal control as it relates to financial reporting is a matter of professional judgment…” Source: Basis for Conclusions: ISAE 3402, Assurance Reports on Controls at a Service Organization, December 2009.  Please contact us today or call Christopher G. Nickell, CPA, directly at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it., to learn more about NDNB’s competitive, fixed fees for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 reporting.