SSAE 18 stands for Statement on Standards for Attestation Engagements No. 18. It is a standard issued by the AICPA that governs how auditors assess and report on a service organization’s internal controls.
Introduced in 2017, SSAE 18 replaced the older SSAE 16 and strengthened the requirements around risk assessment, vendor management, and subservice providers (third parties that support a company’s services).
SOC 1, SOC 2, and SOC 3 reports are all conducted under SSAE 18 guidelines, making it the foundational framework for trust and assurance audits.
SSAE 18 ensures that service organizations are not only responsible for their own controls but also for managing the risks associated with any external partners involved in service delivery.
