What is an SSAE 18 Report?

Published March 25, 2019 • < 1 min read

As part of Service Organization Controls (SOC) reporting, organizations need to engage in the audit process. The SSAE 18 audit standard, superseding the SSAE 16 which had replaced the SAS 70, is a formalized auditing standard designed by the American Institute of Certified Public Accountants (AICPA).

Service organizations that need either a SOC 1 or SOC 2 report must meet the requirements the auditing standard requirements. SOC 1 reports cover internal controls over financial reporting. SOC 2 reports, sometimes referred to as System and Organization (SOC) Reports, review internal controls over data security, availability, processing integrity, confidentiality, and privacy.

To increase the usefulness and consistency of these audit reports, the SSAE 18 standard incorporated a series of enhancements that included a risk analysis of subservice organizations (vendors) and an annual risk assessment process.

The increased use of third-party business partners means that organizations who need to engage in SOC reporting now need to review information security controls governing their data centers, cloud infrastructures, Software-as-a-Service platforms, and other outsourced vendors.

Other Helpful Content

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

See ZenGRC in action!

Get a demo