SSAE 18 refers to Statement on Standards for Attestation Engagements No. 18, which replaced the audit requirements under SSAE 16, effective May 1, 2017.
SOC refers to the Systems and Organization Control 1, 2, and 3 reports released by the American Institute of Certified Public Accountants (AICPA), which were known as Service Organization Control reports when they were released in June 2011.
SSAE 18 serves as the guidance for the issuance of SOC 1 reports.
Here is what you need to know about SSAE 18 and SOC 1:
- SSAE 18 provides the framework for evaluating and reporting on the design and operation of internal controls at a service organization that are reported in a SOC 1 report
- The control objectives for a SOC 1 report are defined by the service organization and should include those objectives which may be relevant to the internal controls around financial reporting of the user entity (i.e. customers of the service organization)
- The SOC 1 report is intended for limited distribution to customers, their financial auditors, and other regulators
- A SOC 1 report can be issued as a Type I or Type II report.