AuditXYZ

Compliance Framework

Statement on Standards for Attestation Engagements No. 18

SSAE 18 is the US attestation standard governing SOC 1 and SOC 2 reports. This guide covers the standard's requirements, engagement types, and what organizations should know about the SOC reporting framework.

$30,000–$200,0003–9 monthsAudit Required2016 (effective 2017, with ongoing interpretations)
Request a ConsultationSee process
Issuing BodyAmerican Institute of Certified Public Accountants (AICPA)
First Published2016-04-01
Latest Version2016 (effective 2017, with ongoing interpretations)
Typical Cost$30,000–$200,000
Typical Timeline3–9 months
Audit RequiredYes
Audit FrequencyAnnual reports are standard practice. Type 2 reports cover a minimum observation period defined by the engagement.
Geographyunited-states

SSAE 18: US Attestation Standard for Service Organizations

Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is the AICPA professional standard that governs how CPAs perform attestation engagements in the United States, including SOC 1 (service organization controls relevant to financial reporting) and SOC 2 (service organization controls for security, availability, processing integrity, confidentiality, and privacy) reports. Understanding SSAE 18 helps organizations navigate the SOC reporting process more effectively.

What SSAE 18 Covers

SSAE 18 consolidates and clarifies the attestation standards previously spread across multiple statements. It is organized into sections covering general concepts (AT-C 105), examination engagements (AT-C 205), review engagements (AT-C 210), agreed-upon procedures (AT-C 215), and reporting on controls at service organizations (AT-C 320).

AT-C 320 is the section most relevant to SOC reports. It defines the requirements for Type 1 (point-in-time) and Type 2 (period of time) reports, including the service organization's description of its system, management's assertion, the service auditor's report, and for Type 2 reports, a description of tests performed and results.

A key requirement introduced by SSAE 18 is the explicit monitoring of subservice organizations — when a service organization uses other service providers to deliver its services, the auditor must consider the controls at those subservice organizations.

Who Needs to Understand SSAE 18

Service organizations undergoing SOC 1 or SOC 2 examinations need to understand SSAE 18 requirements to prepare effectively. CPA firms performing attestation engagements must comply with the standard. User organizations evaluating SOC reports benefit from understanding the standard's assurance levels and limitations. Compliance professionals managing SOC programmes should understand how SSAE 18 shapes the audit process.

Engagement Process

The service auditor accepts the engagement, assesses independence and ethical requirements, plans the examination based on risk assessment, tests controls for design suitability (Type 1) and operating effectiveness (Type 2), evaluates evidence, and issues a report with an opinion. SSAE 18 requires the auditor to assess the risk of material misstatement and design procedures responsive to those risks.

Cost Considerations

SOC 1 engagements under SSAE 18 typically cost $30,000 to $100,000. SOC 2 engagements range from $30,000 to $200,000 depending on the trust service criteria in scope and the number of controls. Type 2 reports cost more than Type 1 due to extended testing over the observation period. Organizations should budget separately for readiness preparation, which may equal or exceed the audit fee for first-time engagements.

Get the SSAE 18 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

isae-3402soc-2isae-3000

Get matched with a SSAE 18 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

ISAE 3000
Framework
ISAE 3000 is the overarching international standard for assurance engagements on non-financial subjects. This guide covers reasonable and limited assurance, engagement types, and application to ESG and cybersecurity.
View
ISAE 3402
Framework
ISAE 3402 is the international standard for assurance reports on controls at service organizations. This guide covers Type 1 and Type 2 reports, the audit process, and how ISAE 3402 relates to SOC 1.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View