SSAE 16 to SSAE 18: How Does They Differentiate?

SSAE 16 to SSAE 18 How Does They Differentiate

The field of auditing and attestation has witnessed significant changes in recent years, particularly in the realm of service organization controls. The Statement on Standards for Attestation Engagements (SSAE) series provides guidelines and requirements for auditors when assessing the internal controls of service organizations. In this article, we will explore the transition from SSAE 16 to SSAE 18 and the implications for both service organizations and user organizations.

Introduction to SSAE 16 to SSAE 18

Introduction to SSAE 16 to SSAE 18

SSAE 16, formally known as the Statement on Standards for Attestation Engagements No. 16, was introduced in 2010 by the American Institute of Certified Public Accountants (AICPA). It replaced the SAS 70 (Statement on Auditing Standards No. 70) as the prevailing standard for reporting on controls at service organizations.

With the increasing complexity of service organizations’ environments and the evolving nature of their relationships with subsurface organizations, the need for a more comprehensive and robust attestation standard became evident. As a result, SSAE 18, the Statement on Standards for Attestation Engagements No. 18, was issued in May 2017, supplanting SSAE 16.

Understanding SSAE Standards

SSAE 16 was designed to enhance the audit process and provide users of service organization controls reports with greater transparency and reliability. The standard focused primarily on the controls at the service organization and did not explicitly address the controls of subsurface organizations.

Under SSAE 16, service organizations were required to undergo an audit conducted by a certified public accountant (CPA) who would issue a Service Organization Control (SOC) report. This report aimed to provide information about the service organization’s controls and their effectiveness.

Transition to SSAE 18

SSAE 18 introduced several changes to address the limitations of SSAE 16 and provide a more comprehensive and rigorous assessment of service organizations. The new standard places greater emphasis on risk assessment, subsurface organizations, and the quality of service organization control reports.

One of the key reasons for the transition from SSAE 16 to SSAE 18 was the recognition of the increasing involvement of sub-service organizations in the overall service delivery chain. Subservice organizations are entities that perform services for the service organization and have a direct impact on the services provided to user organizations. SSAE 18 now requires service organizations to assess and report on the controls implemented by sub-service organizations.

Key Differences Between SSAE 16 and SSAE 18

Key Differences Between SSAE 16 and SSAE 18

These are the key differences between SSAE 16 and SSAE 18:

Focus on Complementary Subservice Organizations

Under SSAE 18, service organizations are now required to identify and evaluate the controls implemented by sub-service organizations that are complementary to the services provided by the service organization. This ensures a more holistic assessment of the overall control environment and provides users of the SOC reports with a comprehensive view of the risks involved.

Emphasis on Risk Assessment and Management

SSAE 18 places a greater emphasis on risk assessment and management throughout the attestation process. Service organizations are now required to perform a formal risk assessment to identify and assess risks that could impact the achievement of their control objectives. This helps in aligning the controls with the organization’s overall risk management strategy and enhances the effectiveness of the attestation engagement.

Enhanced Reporting on Controls

SSAE 18 introduces new reporting requirements to provide users with more detailed information about the service organization’s controls. The description of the system and the controls now needs to include additional information such as the nature of the controls, their objectives, and their design. This increased level of detail ensures that users have a better understanding of the controls and can make more informed decisions based on the SOC reports.

Benefits of SSAE 18 over SSAE 16

These are some of the benefits of SSAE 18 over SSAE 16:

Increased Transparency and Accountability

The transition from SSAE 16 to SSAE 18 brings about increased transparency and accountability for service organizations. The inclusion of sub-service organizations and the focus on risk assessment enable a more comprehensive evaluation of the control environment. This transparency benefits both the service organizations, as they gain a deeper understanding of their control landscape, and the user organizations, as they receive more reliable and detailed information about the controls in place.

Strengthened Risk Assessment Processes

With an emphasis on risk assessment and management, SSAE 18 helps service organizations strengthen their risk assessment processes. By conducting a formal risk assessment, service organizations can identify and mitigate risks that could affect their control objectives. This proactive approach enhances the overall control environment and minimizes the likelihood of control failures and potential risks to user organizations.

Better Alignment with International Standards

SSAE 18 aligns more closely with international standards, such as the International Standard on Assurance Engagements (ISAE) 3402. This alignment facilitates international business operations and enables service organizations to provide their global clients with attestation reports that adhere to internationally recognized standards. The harmonization of standards streamlines the assessment process for service organizations operating in multiple jurisdictions.

Implications for Service Organizations

Implications for Service Organizations

Some of the implications for service organizations:

Transitioning from SSAE 16 to SSAE 18

Service organizations that were previously compliant with SSAE 16 need to transition to the new requirements outlined in SSAE 18. This transition involves a comprehensive review of internal controls, including the identification and assessment of subsurface organizations and their controls. Service organizations should work closely with their auditors to understand the new requirements and ensure a smooth transition.

Adjusting Internal Controls and Reporting Processes

The introduction of SSAE 18 necessitates adjustments to internal controls and reporting processes for service organizations. It is crucial to evaluate the control framework and make necessary modifications to address the changes in the attestation standards. This may involve additional documentation, testing procedures, and collaboration with subsurface organizations to obtain the required information for the SOC reports.

Impact on User Organizations

User organizations relying on SOC reports need to understand the changes brought about by the transition from SSAE 16 to SSAE 18. They should review the new reports and familiarize themselves with the additional information provided, such as the inclusion of sub-service organizations and the enhanced description of controls. User organizations should assess the impact of these changes on their own risk management and compliance processes to ensure they have a comprehensive understanding of the control environment of their service providers.

Evaluating Vendor Compliance and Security

With the implementation of SSAE 18, user organizations have an opportunity to evaluate the compliance and security practices of their vendors more effectively. The enhanced reporting requirements provide user organizations with greater visibility into the controls and risk management processes of their service providers. User organizations can use this information to assess the adequacy of the controls and determine if they align with their own compliance and security requirements.

By conducting thorough due diligence on the SOC reports and engaging in discussions with service providers, user organizations can gain confidence in the effectiveness of the controls and make informed decisions regarding the selection and ongoing monitoring of their vendors.


The transition from SSAE 16 to SSAE 18 marks a significant milestone in the field of service organization controls. The new standard, SSAE 18, introduces key changes that enhance transparency, accountability, and the overall assessment of controls. Service organizations are now required to include subsurface organizations in their evaluations, place a greater emphasis on risk assessment, and provide more detailed reporting on controls.

In this evolving landscape of attestation and auditing standards, both service organizations and user organizations play crucial roles in maintaining the integrity of controls and fostering trust in the services provided. By embracing the changes brought about by SSAE 18, organizations can enhance their control environments, mitigate risks, and build stronger partnerships based on transparency and accountability.

If you are looking to implement any of the Infosec compliance frameworks such as SOC 2 complianceHIPAAISO 27001, and GDPR compliance, Impanix can help. Book a Free consultation call with our experts or email us at  [email protected] for inquiries.