What is SSAE 18? – Explained!

SSAE 18, or Statement on Standards for Attestation Engagements No. 18, is a professional standard set forth by the American Institute of Certified Public Accountants (AICPA). It offers guidelines on attestation engagements, which are tasks where a professional (usually an accountant or auditor) provides an opinion regarding the reliability of a written assertion made by another party.

The primary application of SSAE 18 is for service organizations to demonstrate the robustness and effectiveness of their internal controls over financial reporting (ICFR). The report generated from this evaluation is termed a SOC 1 report.

Historical Context

SSAE 18 was introduced in 2016, replacing the earlier SSAE 16 standard from 2010. The newer standard brought several changes, including:

  1. ICFR Definition: SSAE 18 offers a definition of ICFR that aligns more closely with the one presented in the Sarbanes-Oxley Act of 2002 (SOX), a U.S. federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.
  2. New Reporting Option: Service organizations that don’t significantly affect their clients’ financial statements have a new reporting option under SSAE 18.
  3. Third-party Reliance Disclosure: It mandates service organizations to reveal if they depend on third-party service organizations.

Who Requires an SSAE 18 Report?

SSAE 18 Report

Service organizations that offer services potentially influencing the financial statements of their clients should consider obtaining a report. Examples of such organizations include:

  • Cloud Computing Providers: Companies that offer cloud-based storage, processing, or other services.
  • IT Service Providers: Firms that provide IT solutions, maintenance, or support.
  • Payroll Processors: Entities that manage payroll functions for other companies.
  • Third-party Administrators: Organizations that handle administrative tasks for another company, often in areas like insurance or benefits.
  • Marketing Agencies: Firms that handle marketing campaigns, strategies, or other related services that might have financial implications.
  • Call Centers: Centers that manage customer service, sales calls, or other phone-based services for other businesses.

What is Covered in the Report?

An SSAE 18 report delves into the design and operational effectiveness of a service organization’s Internal Controls over Financial Reporting (ICFR). It’s essential to note that while the report scrutinizes the controls’ design and functionality, it doesn’t evaluate the accuracy or completeness of the organization’s financial statements.

The breadth of the SSAE 18 report is mutually decided by the service organization and its client. Depending on the agreement:

  • The report might encompass the entirety of the organization’s ICFR.
  • Alternatively, it could focus on specific facets of ICFR. For instance, it might exclusively assess controls over revenue recognition or delve into controls over accounts payable.

Procedure for Conducting the Report

Conducting the Report

Let’s explore the procedure for conducting an SSAE 18 report.

Engagement of a CPA

The process begins with the involvement of a Certified Public Accountant (CPA). This professional is entrusted with the responsibility of evaluating the service organization’s ICFR.

Understanding the ICFR

Before any testing begins, the CPA must first grasp the intricacies of the service organization’s ICFR. This understanding is cultivated through:

  • Interviews: Engaging in discussions with the organization’s management to gain insights.
  • Observations: Directly witnessing the operations of the service organization to understand the practical application of controls.
  • Document Review: Scrutinizing relevant documentation that sheds light on the ICFR’s design and operations.

Testing the ICFR

Post the initial understanding phase, the CPA embarks on testing the operational effectiveness of the ICFR. The nature and extent of these tests are tailored to the risks that were identified during the initial understanding phase.

Report Compilation

Procedure for Conducting the SSAE 18 Report

Once the evaluation is complete, the CPA consolidates the findings into a comprehensive report. This document:

  • Details the procedures undertaken and the findings from the tests.
  • Offers the CPA’s professional opinion on the design and operational effectiveness of the service organization’s ICFR.

In essence, an SSAE 18 report is a rigorous assessment that provides assurance to clients and stakeholders about the robustness of a service organization’s internal controls over financial reporting.

Why is the Report Crucial?

The SSAE 18 report stands as a testament to the reliability and robustness of a service organization’s Internal Controls over Financial Reporting (ICFR). The implications of this assurance are manifold:

  1. Enhanced Trust: Clients can place greater trust in the service organization, knowing that its ICFR has been rigorously assessed and deemed reliable.
  2. Reduced Reliance: With the assurance provided by the SSAE 18 report, clients can potentially reduce their dependence on the internal controls of the service organization, as they have an external validation of their effectiveness.
  3. Informed Decision Making: The report equips clients with valuable insights, enabling them to make informed decisions about availing the services of the organization.
  4. Regulatory Compliance: For many entities, regulatory frameworks mandate the assessment of service providers’ controls. The SSAE 18 report aids clients in adhering to these regulatory requirements.

Further Insights

SSAE 18 Report Further Insights

  • Cost Implications: The financial outlay for obtaining an SSAE 18 report isn’t fixed. It fluctuates based on factors like the organization’s size and the intricacy of its operations.
  • Frequency of Reporting: The need for an SSAE 18 report isn’t constant. It varies depending on the specific service organization and the requirements of its clientele.
  • Validity Period: Typically, an SSAE 18 report holds validity for a year, post which a fresh evaluation is required.

For service organizations whose offerings might significantly influence their clients’ financial statements, the SSAE 18 report isn’t just a recommendation; it’s a necessity. Such a report not only underscores the reliability of the organization’s ICFR but also fosters a foundation of trust and assurance with its clientele.


How often is the report required?

The frequency with which an SSAE 18 report is required will also vary depending on the service organization and its clients. However, most service organizations are required to obtain an SSAE 18 report at least annually.

How do I choose a CPA firm to perform my SSAE 18 audit?

When choosing a CPA firm to perform your SSAE 18 audit, you should consider the following factors:

  • The firm’s experience with SSAE 18 audits
  • The firm’s reputation
  • The firm’s fees
  • The firm’s availability

Final Words

SSAE 18 isn’t just another standard; it’s a pivotal one for service organizations. By procuring an SSAE 18 report, these organizations not only validate the reliability of their ICFR but also fortify their credibility in the eyes of clients.

This, in turn, empowers clients to make well-informed choices regarding the utilization of the organization’s services.