SSAE 16 to SSAE 18, and SOC 1 and SOC 2

June 18, 2020

As your company grows, solid security infrastructure is necessary to manage the data security implications of today’s business practices. Cloud computing and the ease of outsourcing services that would have previously required costly in-house storage and computing capacities have changed the way companies do business. This flexibility today enables organizations to nimbly adapt in response to market needs, and to access breakthrough opportunities for growth.

But this level of flexibility — and the risks that come with outsourcing services that require third-party access to customer data and information — also require comparably evolved security standards, and holistic methods of assessing an organization’s approach to managing its security, internally and in regards to how it works with external partners and service providers.

Establishing a holistic security infrastructure as your organization charts its growth path will position you to maintain a strong security posture as your company grows — ensuring that you build and maintain the trust of your customers along the way.

It is of key importance to understand the cybersecurity risks as well as the benefits associated with outsourcing services. The ease and speed with which companies can streamline operations using software tools operating in the cloud has transformed the business landscape. However, the use of third-party services accessing data in the cloud means that your company has less control over its data, and less knowledge about where that data is traveling. While outsourcing your company’s services streamlines your operations, the responsibility of maintaining the security of customer data remains with your company — no matter where your data goes.

“Vanta's expert team helped analyze our compliance requirements and shared what was needed to complete a SAQ-D. Because of this, we accelerated our timelines, saved hundreds of hours and thousands of dollars in costs.”

Klas Hesselman
Co-founder  |  Flow Networks

Key security terms to know

You’ll hear many terms when you’re discussing security and how to prove your company’s security: SSAE 16 and SSAE 18, SOC 1, and SOC 2. What do these terms mean? How do they fit together?

First, the SSAE 16 and now the SSAE 18 standard, and SOC 1 and SOC 2 reports, are the current iterations of audit standards and reporting frameworks that have evolved over the years to accurately reflect the nature of how companies do business, and to effectively assess the controls that companies have in place to manage their security.

Origin of the SSAE 16 audit

In the 1990s, the American Institute of Certified Public Accountants (AICPA) guidelines offered an examination for service providers based on Statements on Auditing Standards (SAS) 70 — the focus of which was ensuring that appropriate controls were in place at businesses that engaged service organizations to perform tasks that could have an impact on that business’s financial statements. Since that time, the advent and the rapidly increasing prevalence of cloud computing, and the ability of companies to outsource their services to third-party providers, changed the landscape of service organization assessment.

The need for more comprehensive systems of assessment resulted in the development of the SSAE 16 audit (Statements on Standards for Attestation Engagements No. 16) as well as the SOC (System and Organization Controls) reporting framework. The SSAE 16 was a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the AICPA, and it applied specifically to SOC 1 reports. A SOC 1 report documents an organization’s internal controls that are likely to be relevant to an audit of that organization’s financial statements.

The SSAE 16 audit and report process was issued in 2010 and was effective as of June 2011. The SSAE 18 standard, effective as of May 2017, supersedes SSAE 16.

Evolving standards: From the SSAE 16 to SSAE 18

Changes from the SSAE 16 audit standard to the SSAE 18 require companies to take greater ownership of their own internal controls around the identification and classification of risk and to enact appropriate management of third-party vendor relationships. Specifically, SSAE 18 requires identification of subservice or third-party organizations used to provide services, as well as the controls that those organizations employ to provide services to their customers. SSAE 18 also requires an organization to implement controls to monitor, in turn, the relevant controls employed by third-party organizations. (Learn more about implementing a vendor management policy.)

Overall, the SSAE 18 standard includes enhancements intended to increase the usefulness and quality of SOC reports. SSAE 18 addresses different types of attestation reports, including and beyond the SOC 1, though a SOC 1 remains a typical report generated from an audit against the SSAE 18 standard.

Proving security with SOC reports

Auditing and reporting against industry standards like SSAE 18 are key components of a holistic approach to compliance risk management. How can your company ensure that the providers with whom you do business are meeting your needs and regulators’ requirements for security, confidentiality, and information privacy? Today, the best way to ensure that your service providers have appropriate security controls in place is to obtain assurances in the form of SOC 1 and SOC 2 reports — the specific outputs of service organization audits by a third-party accounting firm. Audited service providers are able to demonstrate that they are certified and in compliance with the level of data and information security a company requires from its providers.

SOC 1 reports and their documentation of controls that are relevant to an audit of financial statements are one part of ensuring and maintaining your company’s holistic security and compliance ecosystem. SOC 2 audits and reports are also an essential part of demonstrating your company’s security practices and evaluating vendors to ensure that their security is up to agreed-upon standards. The SOC 2 report structure — based on the five Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy — can help provide a framework for your company to develop a coherent and comprehensive security roadmap.

Vanta is your automated security and compliance expert — providing your company with powerful continuous monitoring software to maintain and monitor security across your business ecosystem. With Vanta, your company’s security oversight processes are running in the background, across your company’s established policies and vendor relationships — ready to alert your team if anything is out of order.

Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.