SSAE 16, SSAE18, SOC 1, SOC2: Understand risk and security

June 18, 2020

SSAE 16 to SSAE 18, and SOC 1 and SOC 2

As your company grows, solid security infrastructure is necessary to manage the data security implications of today’s business practices. Cloud computing and the ease of outsourcing services that would have previously required costly in-house storage and computing capacities have changed the way companies do business.

This flexibility today enables organizations to nimbly adapt in response to market needs, and to access breakthrough opportunities for growth. Flexibility for companies is partly driven by systems, programs, and third party operations including SSAE 16, SSAE 18, SOC 1, and SOC 2. But as your company grows it is important to know what the differences between SSAE 16 vs SSAE 18 are.

But this level of flexibility — and the risks that come with outsourcing services that require third-party access to customer data and information — also require comparably evolved security standards, and holistic methods of assessing an organization’s approach to managing its security, internally and in regards to how it works with external partners and service providers.

Establishing a holistic security infrastructure as your organization charts its growth path will position you to maintain a strong security posture as your company grows — ensuring that you build and maintain the trust of your customers along the way.

It is of key importance to understand the cybersecurity risks as well as the benefits associated with outsourcing services. The ease and speed with which companies can streamline operations using software tools operating in the cloud has transformed the business landscape.

However, the use of third-party services accessing data in the cloud means that your company has less control over its data, and less knowledge about where that data is traveling. While outsourcing your company’s services streamlines your operations, the responsibility of maintaining the security of customer data remains with your company — no matter where your data goes.

What is SSAE 16?

SSAE 16 stands for Statement on Standards for Attestation Engagements #16. In practice, SSAE is a set of auditing standards established by the AICPA to guide auditors, especially as they prepare SOC 1 reports. It has been largely replaced by SSAE 18, though, which is why SSAE 18 is often preferred when comparing SSAE 16 vs. SSAE 18.

What is SSAE 18?

SSAE 18, or the Statement on Standards for Attestation Agreements #18, was created and enacted in 2017 by the AICPA. It’s a comprehensive auditing standard that integrates most of the AICPA’s previous standards, so while comparisons of SSAE 18 vs. SSAE 16 often recognize that SSAE 18 is newer, it’s more accurate to say that SSAE 18 includes SSAE 16. SSAE 18 is typically used for SOC 2 reports and SOC 3 reports.

“Vanta's expert team helped analyze our compliance requirements and shared what was needed to complete a SAQ-D. Because of this, we accelerated our timelines, saved hundreds of hours and thousands of dollars in costs.”

Klas Hesselman
Co-founder  |  Flow Networks

Key security terms to know

You’ll hear many terms when you’re discussing security and how to prove your company’s security:

  • SSAE 16
  • SSAE 18
  • SOC 1
  • SOC 2

What do these terms mean? How do they fit together? And how are they different?

First, the SSAE 16 and now the SSAE 18 standard, and SOC 1 and SOC 2 reports, are the current iterations of audit standards and reporting frameworks. These methods have evolved over the years to accurately reflect the nature of how companies do business, and to effectively assess the controls that companies have in place to manage their security.


What is the SSAE 16 audit?


In the 1990s, the American Institute of Certified Public Accountants (AICPA) guidelines offered an examination for service providers based on Statements on Auditing Standards (SAS) 70. The focus of these guides were to ensure that appropriate controls were in place at businesses that engaged service organizations to perform tasks that could have an impact on that business’s financial statements.

Since that time, the advent and the rapidly increasing prevalence of cloud computing, and the ability of companies to outsource their services to third-party providers, changed the landscape of service organization assessment.

The need for more comprehensive systems of assessment resulted in the development of the SSAE 16 audit (Statements on Standards for Attestation Engagements No. 16) as well as the SOC (System and Organization Controls) reporting framework.

The SSAE 16 was a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the AICPA, and it applied specifically to SOC 1 reports. A SOC 1 report documents an organization’s internal controls that are likely to be relevant to an audit of that organization’s financial statements.

The SSAE 16 audit and report process was issued in 2010 and was effective as of June 2011. Starting in May 2017 SSAE 18 supersedes SSAE 16. When it comes to SSAE 16 vs SSAE 18, there are some major differences you and your business need to be aware of.


Evolving standards: What is the difference between SSAE 16 vs SSAE 18


Changes from the SSAE 16 audit standard to the SSAE 18 require companies to take greater ownership of their own internal controls around. SSAE 16 vs. SSAE 18 controls were specifically around identification and classification of risk and to enact appropriate management of third-party vendor relationships.

Specifically, SSAE 18 requires identification of subservice or third-party organizations used to provide services. SSAE 18 also controls that those organizations employ to provide services to their customers.

When it comes to the differences between SSAE 16 vs. SSAE 18, an organization's ability to handle relevant controls is a major difference. An organization must implement controls to monitor, in turn, the relevant controls employed by third-party organizations. (Learn more about implementing a vendor management policy.)

Overall, the SSAE 18 standard includes enhancements intended to increase the usefulness and quality of SOC reports. SSAE 18 addresses different types of attestation reports, including and beyond the SOC 1, though a SOC 1 remains a typical report generated from an audit against the SSAE 18 standard.

Why change from SSAE 16 to SSAE 18?

Any change to your operations requires time and effort, so is it worth it to change from SSAE 16 to SSAE 18? In short, yes, there are multiple advantages to switching to SSAE 18.

In comparing SSAE 16 vs. SSAE 18, SSAE 18 is a more unified standard for international use. For organizations doing business overseas, SSAE 18 allows for reporting that is more widely recognized in different regions of the world.

SSAE 18 also simplifies certain sections of SSAE 16, especially the attestation sections. While it can take time to get used to the new scheme of SSAE 18 vs. SSAE 16, SSAE 18 is a more straightforward standard that will streamline reporting in the long run.

Proving security with SOC reports

Auditing and reporting against industry standards like SSAE 18 are key components of a holistic approach to compliance risk management. How can your company ensure that the providers with whom you do business are meeting your needs and regulators’ requirements for security, confidentiality, and information privacy?

Today, the best way to ensure that your service providers have appropriate security controls in place is to obtain assurances in the form of SOC 1 and SOC 2 reports. These two reports are the specific outputs of service organization audits by a third-party accounting firm.

Audited service providers are able to demonstrate that they are certified and in compliance with the level of data and information security a company requires from its providers. SOC 1 reports and their documentation of controls that are relevant to an audit of financial statements are one part of ensuring and maintaining your company’s holistic security and compliance ecosystem.

SOC 2 audits and reports are also an essential part of demonstrating your company’s security practices and evaluating vendors to ensure that their security is up to agreed-upon standards. The SOC 2 report structure is based on the five Trust Services Criteria of:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

The Trust Services Criteria can help provide a framework for your company to develop a coherent and comprehensive security roadmap.

Vanta is your automated security and compliance expert. We can provide your company with powerful continuous monitoring software to maintain and monitor security across your business ecosystem.

With Vanta, your company’s security oversight processes are running in the background, across your company’s established policies and vendor relationships — ready to alert your team if anything is out of order.

Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.