The American Institute of Certified Public Accountants (AICPA) Auditing Standards Board created the Statement on Standards for Attestation Engagements No. 18 as an auditing standard. This standard regulates how businesses conduct internal system and control audits.



The audit process for Service Organization Controls or System and Organization Controls (SOC) reports is governed by SSAE 18, formerly known as SSAE 16 or SAS 70 reports. There are three forms of SOC reports.


  • SOC 1 reports address an organization’s internal controls around financial reporting;
  • SOC 2 reports address internal controls over data security, availability, processing integrity, confidentiality, and privacy; and
  • SOC 3 reports are a slimmed-down version of SOC 2 reports and are meant for a service business to circulate publicly to potential customers.


Importance of SSAE 18:

Organizations and service auditors that must show information security compliance with laws like Sarbanes-Oxley (SOX), PCI, and HIPAA might benefit from the guidelines provided by SSAE 18.


All businesses that handle customer data, including sensitive information like names and phone numbers and PII, should confirm that their service organization's systems meet both regulatory and non-regulatory requirements like SSAE 18.


Organizations like cloud computing providers or financial services providers should periodically assess their business processes to ensure that their operational effectiveness fulfils the criteria set out by standards like SSAE 18 in order to give their clients with excellent customer service.


Compliance Checklist for SSAE 18:

  1. Define the scope of your SOC audit. 
  2. Review the physical location being audited.
  3. Define the number of additional locations that will be audited.
  4. Determine the audit testing period.
  5. Specify the workforce members who need to be involved during the audit process.
  6. Define the sub-service organizations that need to be reviewed as part of the audit.
  7. Review data centers, cloud service providers, and SaaS platforms.
  8. Set your control objectives.
  9. Define the internal controls that require review.
  10. Determine the steps necessary for testing.
  11. Define the process owners who need to be involved.
  12. Establish an internal stakeholder who needs to review and respond to the draft report.
  13. Define the stakeholders who must approve the final report.