Office hours · 09:00–18:00 IST info@abscerts.com
+91 96257 76771 +91 97925 86202 EN · 40+ countries

Cyber Security

SSAE 18 — Attestation Standard for Service Organisations

Independent SOC reporting under SSAE 18 — the AICPA attestation standard governing service organisation control reports in the United States.

Book a consultation
SSAE 18 attestation engagement for a service organisation
10-14 weeks Typical timeline to certificate
AICPA Governing body / standard owner
AICPA Accredited & globally recognised
What this covers
SSAE 18AICPAAttestationService Organization

What SSAE 18 is and why buyers ask for it

SSAE 18 — the Statement on Standards for Attestation Engagements No. 18 — is the auditing standard in the United States for evaluating and reporting on the internal controls of service organisations. Issued by the American Institute of Certified Public Accountants (AICPA), it replaced the earlier SSAE 16 standard and now governs how a SOC 1 examination is conducted and reported.

In practice, when a customer asks a vendor for “an SSAE 18 report,” they are asking for assurance — usually a SOC 1 report — over the controls the vendor operates that touch the customer’s financial data or critical operations. Like the other service-organisation reports in the Cyber Security family, it lets you satisfy many customers and their auditors with one independent examination rather than a stream of individual audits.

What the assessment covers

An SSAE 18 engagement reports on the controls relevant to the service you provide, in two forms:

  • Type I — an assessment of the design and implementation of controls at a specific point in time.
  • Type II — design and operating effectiveness tested over a period, commonly six months to a year.

A defining feature of SSAE 18 compared with its predecessor is the emphasis on how a service organisation monitors any sub-service organisations it relies on, and on the complementary controls customers are expected to have in place. The engagement is scoped to the control objectives that matter for your service, with readiness work to close gaps before the formal examination.

Typical timeline

A Type I report is typically achievable in around 10–14 weeks depending on how mature your controls already are; a Type II report adds the observation period over which they are tested. As always, the engagement starts with a fixed-price scoping call and a proposal within 24 hours.

Common questions

What is the difference between SSAE 18 and SOC 1?

SSAE 18 is the standard; SOC 1 is the report produced under it. SSAE 18 is the AICPA attestation standard that governs how a SOC 1 examination is performed and reported in the United States. When someone asks for an “SSAE 18 report,” they usually mean a SOC 1 report.

What happened to SSAE 16?

SSAE 18 superseded SSAE 16 in 2017, consolidating and updating the AICPA’s attestation standards. Among other changes it strengthened requirements around the monitoring of sub-service organisations. Reports previously issued under SSAE 16 are now performed under SSAE 18.

What is the difference between a Type I and a Type II report?

A Type I report assesses the design and implementation of controls at a specific point in time. A Type II report assesses design and operating effectiveness over a period — commonly six months to a year. Most clients expect a Type II report.

How does SSAE 18 relate to ISAE 3402?

SSAE 18 governs SOC 1 reports in the US, while ISAE 3402 is the international equivalent issued by the IAASB. Organisations reporting to overseas clients often choose ISAE 3402; those reporting primarily to US audiences use SOC 1 under SSAE 18.

More services

Related certifications

agile-transformation / 01 Agile coaching with a delivery team

Agile Coaching

Experienced coaches working alongside your teams and leaders to adopt agile ways of working — and to sustain them across the organisation.

Agile CoachingAgile TransformationScrumKanban
Get a quote
cmmi / 02 CMMi for Development process maturity improvement

CMMi for Development (CMMi-DEV)

Process maturity improvement for organisations that design and build products, software and systems — benchmarked against the CMMI Development view.

CMMiCMMi-DEVProcess ImprovementSoftware Development
Get a quote
industry-food-certifications / 03 HACCP food safety hazard analysis certification

HACCP Certification

Certification of a HACCP food safety system — the internationally recognised approach to identifying and controlling hazards across the food chain.

HACCPFood SafetyHazard AnalysisIndustry & Food
Get a quote

Get started

Ready to get certified?

Get a free, fixed-price quote within one business day. No obligation, no sales pressure, no follow-up spam — just a clear path to certification.

Book a 30-min consultation
24-hour response time Fixed price, multi-currency IAS / IAF accredited 40+ countries served

Before you go — let us help

Drop your details and we'll send a free certification roadmap tailored to your business. No spam, ever.

By submitting, you agree to ABS's privacy policy. We never share your details.