SSAE 16 vs SSAE 18: Changes to SOC 1 Compliance Audits

by Hannah Grace Holladay / February 28th, 2024

In April 2016, the American Institute of Certified Public Accountants (AICPA) made an important update to the attestation standards that will affect your next SOC 1 audit. Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification provides changes to SOC 1 audits and how attestation engagements are categorized.

Below, we explore the reason for this change and how the SSAE 18 affects you

What is SSAE 16?

SSAE 16 is the Statements on Standards for Attestation Engagements no. 16. It provides a set of standards and guidance for attestation reporting on organizational controls and processes at service organizations.

Audits using SSAE 16 generally result in System and Organizational Control (SOC 1) reports. Unlike earlier standards, SSAE 16 requires a written attestation from a service company’s management, stating that its description accurately represents organizational systems, control objectives, and operational activities that affect customers. However, in 2017, the SSAE 18 superseded the SSAE 16.

What is SSAE 18?

SSAE 18 is the current set of standards and guidance for reporting on organizational controls and processes at service organizations. It supersedes SSAE 16 through updated and simplified standards.

Like SSAE 16, SSAE 18 is used in SOC 1 reports (along with SOC 2 and SOC 3 reports), which were previously conducted under AT 101. Among other changes, SSAE 18 additionally requires that service organizations identify subservice organizations and provide risk assessments to auditors.

Learn more at our Guide to SAS 70 vs SSAE 16 vs SSAE 18.

SSAE 16 vs. SSAE 18: What’s the Difference?

SSAE and SOC are often used interchangeably. However, the two are distinct, and it’s useful to understand the difference. 

  • SSAE 18 — SSAE is the Statement on Standards for Attestation Engagements no. 18. As the name suggests, it outlines standards and guidance for completing attestation engagements. These are the standards and processes CPAs follow when carrying out SSAE examinations.
  • SOC is the System and Organization Controls report. It is the report that CPAs produce after conducting an attestation engagement under the SSAE 18 standards.

Essentially, SSAE refers to the standards, and SOC refers to the report.

In 2016, the AICPA updated the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) to No. 18 (SSAE 18). This change simplified and converged attestation standards related to SOC 1 audits.

Additionally, the SSAE 18 also expanded to cover more types of attestation reports (including SOC 2), whereas SSAE 16 was limited to only SOC 1 reports.

What was the purpose of SSAE 16?

The purpose of SSAE 16 was to provide a framework, issued by the AICPA, that SOC 1 audits could follow. It actually means the Statement on Standards for Attestation Engagements No. 16.

Each new Statement on Standards for Attestation Engagements  helps to simplify and converge attestation standards to unify with international standards and new technology.

Why the Change From SSAE 16 to SSAE 18?

The AICPA is making some changes to how we define attestation engagements, like the SSAE 16. Even though change can be challenging, this SSAE 18 update simplifies and converges attestation standards to unify with international standards.

Convergence

The Auditing Standards Board (ASB) is converging standards to unify them with international standards. As a result, regardless of which region of the world you’re in, the standards remain accepted and unified.

For example, if you are conducting business in Europe, you may have been issued an ISAE instead of an SSAE. Similarly, if conducting business in Canada, you may have been issued a CSAE.

Simplification

Another reason behind the shift from SSAE 16 to SSAE 18 is simplification. The attestation (AT) section of the AICPA professional standards (dealing with attestation engagements) contains several different standards. These AT sections are issued in the form of Statements on Standards for Attestation Engagements (SSAE) and comprised of several SSAEs dealing with various engagements.

SSAE 18 Sections

The AIPCA is taking these different sections and putting them into one source. A lot of the older, earlier numbers are going away and being re-categorized and codified into one, the SSAE 18. Those sections are:

  • AT sec. 20
  • AT sec. 50
  • AT sec. 101 (This was the standard we used in SOC 2 engagements)
  • AT sec. 201
  • AT sec. 301
  • AT sec. 401
  • AT sec. 601
  • AT sec. 701
  • AT sec. 801 (This was the standard we used in SOC 1/SSAE 16 engagements)

The following AT sections are being codified into one SSAE 18:

  • AT-C sec. 105 (SOC 1 and SOC 2)
    • This section deals with Concepts Common to All Attestation Engagements
  • AT-C sec. 205 (SOC 1 and SOC 2)
    • This section deals with Examination Engagements
  • AT-C sec. 210
    • This section deals with Review Engagements
  • AT-C sec. 215
    • This section deals with Agreed-Upon Procedures Engagements. In other words, you may have a client that is asking for an independent audit to perform these procedures on their behalf and prepare a report. This engagement was separate prior to the SSAE 18.
  • AT-C sec. 305
    • This section deals with Prospective Financial Information.
  • AT-C sec. 310
    • This section deals with Reporting on Pro Forma Financial Information
  • AT-C sec. 315
    • This section deals with Compliance Attestations and provides guidance on how to perform compliance engagements that attest to compliance with laws and regulations. If you need an independent auditor to confirm that you’re compliant with HIPAA regulations or CFPB, for example, the auditor would refer to this section. The engagement that we used to call an SSAE 16 will now simply be referred to as a SOC 1 and will not be called SSAE 18.
  • AT-C sec. 320 (SOC 1)
    • This section deals with Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
  • AT-C sec. 395
    • This section deals with Management Discussion and Analysis

The two engagements that we encounter the most are AT-C sec. 205 (SOC 1, SOC 2, HITRUST, CSA) and AT-C sec. 320 (SOC 1).

AT-C sec. 205 is applicable for independent subject matter that has been published that an independent auditor can use to attest to the fact that the client is complying with the controls in CSA or HITRUST. AT-C sec. 320 deals specifically with reporting on internal control over financial reporting.

We most commonly see this with payment processors, collection agencies, data centers, or hosting systems who are hosting or running accounting or accounts receivable on behalf of clients. Those service organizations are responsible for the physical and environmental controls that may impact a clients’ financial reporting.

SSAE 16 is only valid through April 2017. As of May 1st, 2017, these reports will be referred to as SOC 1, not SSAE 18.

What are the Changes to SOC 1 Audits With SSAE 18?

Stronger focus on Risk Assessment

Three main changes to SOC 1 audits occurred. The first of the changes to SOC 1 audits is that they now have a stronger focus on risk assessment.

Over the last few years, data breaches have exponentially increased. The number of successful phishing attempts increased four-fold on personal email accounts versus corporate accounts as attackers view individuals as easy targets, giving more opportunities to damage and steal information.

The current threat landscape requires thoroughly addressing organizational risks. Several segments of the SOC 1 audit standard include strong language around risk identification and risk management, which we interpret as a formal and documented risk assessment.

Here is some example language from the standard that alludes to requiring a formal risk assessment process:

  • The SOC 1 audit standard now requires that Management acknowledges and accepts its responsibility for identifying the risks that threaten the achievement of the control objectives stated in the description and designing, implementing, and documenting controls that are suitably designed and operating effectively to provide reasonable assurance that the control objectives stated in the description of the service organization’s system will be achieved.

KirkpatrickPrice urges clients to heavily involve management in the risk assessment process because they must acknowledge and accept responsibility for identifying and mitigating risks that threaten the achievement of the control objectives stated in management’s description.

  • Auditor must verify if management properly identified all risks that threaten the achievement of the controls objectives stated in management’s description.

The SOC 1 audit now requires that auditors identify whether all risks were appropriately identified and addressed and determine what is missing. If a formal risk assessment process has not taken place, the auditor will likely uncover gaps and insufficiencies.

  • Auditor must obtain an understanding of management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of management’s identification of those risks.

The SOC 1 standard used to say “formal or informal” risk assessment process, but now, the SOC 1 is asking auditors to understand management’s process and assess if it is complete and correct.

  • Auditor must evaluate the linkage of the controls identified in management’s description of the service organization’s system with those risks and determine that the controls have been implemented.

Your auditor must attest to whether the appropriate controls are in place.

  • The auditor also must evaluate whether such information is sufficiently reliable for the service auditor’s purposes by obtaining evidence about its accuracy and completeness and evaluating whether the information is sufficiently precise and detailed.

Your auditor will be determining whether your risk assessment process is accurate and complete, which indicates that a formal risk assessment is necessary. They are also required to obtain evidence that the information provided is reliable.

Monitoring Subservice Organizations

The last SOC 1 audit update now requires service organizations to monitor control effectiveness at a subservice organization. As a result, service organizations now not only identify the critical organizations they rely on to provide their services, but also monitor that they, too, are complying with all relevant standards.

We have many clients who outsource or supplement internal staff with a third party to perform critical business operations. Service organizations are now required to manage their subservice organizations’ compliance. As a result, they must include a combination of ongoing monitoring (ensuring potential issues are identified in a timely manner) and separate evaluations (determining the effectiveness of internal control is maintained over time).

Organizations must understand vendor risks and ensure they meet the control objectives in the description. Six examples given in the SOC 1 standard for accomplishing this requirement are:

  • Reviewing and reconciling output reports;
  • Holding periodic discussions with the subservice organization
  • Making regular site visits to the subservice organization
  • Testing controls at the subservice organization by members of the service organization’s internal audit function
  • Reviewing Type I or Type II reports on the subservice organization’s system
  • Monitoring external communications, such as customer complaints relevant to the services provided by the subservice organization

How to Make the Shift to the New SOC 1 Audit?

When shifting to the SOC 1 audit standard, all organizations must first perform a formal risk assessment. KirkpatrickPrice helps companies accomplish this by offering our specialized resources to facilitate the assessment for them. We offer many resources dealing with risk assessment and tools to help you begin documenting on your own.

Next, organizations should assess their vendor compliance management. When managing vendors, you must define the risks your vendors pose to your organization and the services you rely on them to provide.

Is there anything going on in their environment that would cause you to be non-compliant? KirkpatrickPrice’s Online Audit Manager is a great tool that service organizations are using to manage and monitor vendor compliance.

If you have any questions regarding the changes to SOC 1, contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series 

SOC 1 Compliance Checklist: Are You Prepared for an Audit? 

How to Read Your Vendors SOC 1 or SOC 2 Report? 

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.