AICPA Attestation Standard
SSAE 18 (AT-C 320): The Standard Behind SOC 1 Reports
The Complete Technical Guide
Everything service organizations and their advisors need to know about the attestation standard that governs every SOC 1 report issued in the United States — from its SAS 70 origins to the current AT-C Section 320 requirements.
- Full SAS 70 → SSAE 16 → SSAE 18 historical evolution
- 6 key AT-C 320 requirements: description, assertion, report, risk assessment
- SSAE 18 vs ISAE 3402 — side-by-side comparison for cross-border organizations
- Management description criteria: the 6 elements your system description must cover
100+ SOC 1 Engagements · 500+ Audits Across 15+ Countries
Direct answer: SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the attestation standard issued by the AICPA Auditing Standards Board that governs SOC 1 reports in the United States. Effective May 1, 2017, it replaced SSAE 16 (which had previously replaced SAS 70 in 2011). The specific section for SOC 1 engagements is AT-C Section 320 — “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.” Internationally, the equivalent standard is ISAE 3402, issued by the IAASB.
The Governing Standard
What Is SSAE 18?
SSAE 18 — Statement on Standards for Attestation Engagements No. 18 — is the professional standard that sets the rules, requirements, and procedures CPA firms must follow when performing SOC 1 attestation engagements. It was issued by the AICPA Auditing Standards Board and became effective on May 1, 2017.
Unlike an auditing standard (which governs financial-statement audits), SSAE 18 is an attestation standard. The distinction matters: in an attestation engagement, the CPA opines on a subject matter — the service organization’s system of controls — against criteria (the AICPA description criteria), based on a management assertion. The service organization makes the claim; the CPA evaluates it.
SSAE 18 reorganized the entire suite of attestation standards into a clarified format using AT-C (Attestation — Clarified) sections. The section specifically governing SOC 1 engagements is AT-C Section 320: “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.”
Key distinction: SSAE 18 is not the SOC 1 report itself — it is the standard that dictates how the SOC 1 report is produced. Think of it as the rulebook the CPA firm must follow when examining your controls and forming their opinion. The report you hand to your clients is the output; SSAE 18 is the process that created it.
Standards Lineage
SAS 70 → SSAE 16 → SSAE 18
The standard governing service-organization controls has evolved twice since 1992. Each revision tightened requirements and aligned the US framework with international practice.
SAS 70
1992 – June 2011
SAS 70
SupersededStatement on Auditing Standards No. 70 — the original standard for reporting on controls at a service organization. SAS 70 was an auditing standard (governing auditors), not an attestation standard. It created the concept of service-auditor reports but lacked requirements for risk assessment and had limited guidance on subservice organizations.
SSAE 16
June 2011 – April 2017
SSAE 16
SupersededStatement on Standards for Attestation Engagements No. 16 replaced SAS 70 and reframed the engagement as an attestation (not an audit). SSAE 16 introduced the mandatory management assertion — service organizations now had to formally claim their controls were designed and operating effectively before the CPA opined. It aligned with ISAE 3402 internationally.
SSAE 18
May 1, 2017 – Present
SSAE 18
CurrentStatement on Standards for Attestation Engagements No. 18 is the current governing standard. It reorganized the entire SSAE suite into a clarified format (AT-C sections), added explicit risk-assessment requirements, strengthened subservice-organization monitoring, and required practitioners to evaluate the suitability of criteria used in the engagement. AT-C Section 320 specifically governs SOC 1 engagements.
What Changed
SSAE 18 vs SSAE 16
SSAE 18 was not a cosmetic revision. Three substantive changes affect how SOC 1 engagements are planned, executed, and reported.
| Dimension | SSAE 16 (2011–2017) | SSAE 18 (2017–Present) |
|---|---|---|
| Standard Format | Standalone document with its own section numbering | Part of a clarified suite — reorganized into AT-C sections (320 for SOC 1) for consistency with other attestation standards |
| Risk Assessment | No explicit risk-assessment requirement for the service auditor | Mandatory risk assessment — the CPA must identify and assess risks of material misstatement and tailor testing accordingly |
| Subservice Organizations | Basic guidance on the carve-out and inclusive methods | Enhanced monitoring requirements — the service auditor must evaluate whether the service organization adequately monitors subservice controls, including reviewing SOC reports and tracking CSOCs |
| Criteria Suitability | Implicit assumption that AICPA criteria were suitable | Explicit requirement for the practitioner to evaluate the suitability of the criteria used in the engagement before accepting it |
| Management Assertion | Required (introduced the mandatory management assertion that SAS 70 lacked) | Required — carried forward from SSAE 16 with no substantive change |
| Effective Date | June 15, 2011 | May 1, 2017 |
AT-C Section 320
Key Requirements of SSAE 18
Six core requirements define how a SOC 1 engagement is structured, executed, and reported under AT-C Section 320.
The service organization must provide a written description of its system — the services it provides, the infrastructure, software, people, procedures, and data involved, the control objectives, and the controls designed to achieve those objectives. Under SSAE 18, this description must be prepared using criteria issued by the AICPA (the "description criteria") and must be sufficiently detailed for user entities and their auditors to understand the system and the controls in place.
System Description Requirements
The Management Description Criteria
Under SSAE 18, the system description must be prepared using the AICPA’s description criteria. These six elements are not optional — omitting any one of them results in an incomplete description that the CPA cannot opine on.
Types of Services Provided
The description must identify the specific services the organization provides that are relevant to user entities' financial reporting. This is not a marketing overview — it must be precise enough for a user-entity auditor to determine which of their client's financial-statement assertions are affected.
Principal Service Commitments and System Requirements
The commitments made to user entities (via contracts, SLAs, or regulatory obligations) and the system requirements needed to meet those commitments. This includes performance thresholds, processing deadlines, accuracy targets, and any regulatory requirements the service organization must satisfy.
Components of the System
Five components must be described: (1) Infrastructure — physical and cloud infrastructure supporting the system; (2) Software — applications used to process user-entity transactions; (3) People — roles, responsibilities, and qualifications of personnel operating controls; (4) Procedures — manual and automated processes for initiating, authorizing, recording, processing, and reporting transactions; (5) Data — the data processed by the system and how it flows between components.
Control Objectives and Related Controls
Each control objective must state what it aims to achieve relative to user entities' financial reporting. Related controls must be described with enough specificity for the CPA to test them — "who does what, how often, using what evidence." Every control objective must have at least one control, and every control must trace to an objective.
Complementary User Entity Controls (CUECs)
Controls that user entities are expected to implement for the service organization's controls to function as designed. Example: the service organization processes payroll data as submitted, so the user entity must control the accuracy and authorization of the data it provides. CUECs appear in the SOC 1 report and are tested by the user entity's own auditor.
Complementary Subservice Organization Controls (CSOCs)
If the service organization uses a subservice provider under the carve-out method, the description must identify controls the subservice organization is expected to operate. If using the inclusive method, the subservice organization's controls are included in the scope of the examination and tested directly by the service auditor.
International Standard
ISAE 3402 — The International Equivalent
ISAE 3402 (International Standard on Assurance Engagements 3402) is issued by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board under the International Federation of Accountants (IFAC). Where SSAE 18 governs SOC 1 engagements in the United States, ISAE 3402 governs the equivalent engagement everywhere else — the European Union, the United Kingdom, Asia-Pacific, the Middle East, and beyond.
The two standards are substantially aligned. Both require a management description, a management assertion, Type 1 and Type 2 report structures, and a practitioner’s (auditor’s) opinion. The alignment is intentional — SSAE 16 was designed to converge with ISAE 3402 when it replaced SAS 70 in 2011, and SSAE 18 maintained that alignment.
Practical tip for cross-border organizations: If your user entities span the US and other jurisdictions, issue a dual report referencing both SSAE 18 and ISAE 3402. This satisfies user-entity auditors regardless of which standard framework they operate under. Most global CPA firms routinely produce dual reports.
Cross-Border Comparison
SSAE 18 vs ISAE 3402
For service organizations operating across jurisdictions, understanding the differences between the US and international standards is essential for report planning.
| Dimension | SSAE 18 (US) | ISAE 3402 (International) |
|---|---|---|
| Issuing Body | AICPA Auditing Standards Board (United States) | International Auditing and Assurance Standards Board (IAASB), part of IFAC |
| Jurisdiction | United States — CPA firms licensed in the US follow SSAE 18 | International — used in the EU, UK, Asia-Pacific, Middle East, and most jurisdictions outside the US |
| Governing Section | AT-C Section 320 (Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting) | ISAE 3402 (Assurance Reports on Controls at a Service Organization) |
| Report Types | Type 1 and Type 2 (same concepts) | Type 1 and Type 2 (same concepts, compatible structure) |
| Risk Assessment | Explicit risk-assessment requirement added in SSAE 18 | Risk assessment was already embedded in ISAE 3402's requirements from inception — SSAE 18 aligned with this |
| Cross-Acceptance | US-based user-entity auditors typically require a SOC 1 under SSAE 18; a dual report can reference both standards | International auditors require ISAE 3402; many global service organizations issue dual reports referencing both SSAE 18 and ISAE 3402 |
| Practitioner Requirements | Must be a licensed CPA firm registered with a US state board of accountancy | Must be a qualified assurance practitioner under the relevant national professional body |
CPA Independence
Who Can Issue a SOC 1 Report?
Only a licensed CPA firm can issue a SOC 1 report under SSAE 18. The firm must be registered with a US state board of accountancy and must hold a valid peer-review report demonstrating their competence in performing attestation engagements.
Independence is non-negotiable. The CPA firm that attests to the controls cannot be the same firm (or an affiliated entity) that designed, implemented, or operated those controls. This is why the preparation and attestation roles are always separated:
- Compliance consultant (e.g., Tranquility Cybersecurity) helps the service organization scope, design controls, build evidence, and reach examination-ready status
- Independent CPA firm performs the examination, tests controls, and issues the SOC 1 report with their professional opinion
Regulatory Landscape
PCAOB vs AICPA
Understanding which body governs which type of engagement prevents a common point of confusion:
AICPA Auditing Standards Board
Issues SSAE 18 and all attestation standards. Governs SOC 1 (and SOC 2, SOC 3) engagements. CPA firms performing SOC reports follow AICPA standards regardless of whether the user entity is public or private.
PCAOB (Public Company Accounting Oversight Board)
Sets standards for audits of public companies (SEC registrants). SOC 1 engagements are attestation engagements, not public-company audits, so they fall under AICPA standards. However, when a user entity is a public company, their external auditor (following PCAOB standards for the financial-statement audit) uses the SOC 1 report as evidence when assessing internal controls over financial reporting.
Bottom line: SOC 1 reports = AICPA standards (SSAE 18). Public-company audits = PCAOB standards. The two intersect when a public company’s auditor relies on a SOC 1 report, but the SOC 1 report itself is always issued under AICPA authority.
Continue Your SOC 1 Research
SOC 1 Overview
Everything about SOC 1 reporting — scope, use cases, report structure
Read guideICFR Controls
Deep dive into the 6 categories of controls over financial reporting
Read guideAudit Preparation
4-phase readiness checklist for your SOC 1 examination
Read guideType 1 vs Type 2
Design-only vs design-and-operating-effectiveness reports
Read guideSOC 1 Timeline
How long the engagement takes from kickoff to report delivery
Read guideSOC 1 Cost Guide
Pricing factors for Type 1 and Type 2 engagements
Read guideSOC 1 vs SOC 2
When you need ICFR controls vs Trust Services Criteria
Read guideSOC 2 Overview
Trust Services Criteria for technology and SaaS companies
Read guideFrequently Asked Questions
Expert answers on SSAE 18, AT-C Section 320, ISAE 3402, and the standards behind SOC 1 reports.
What is SSAE 18?
SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the attestation standard issued by the AICPA Auditing Standards Board that governs SOC 1 engagements in the United States. It became effective on May 1, 2017, replacing SSAE 16. The specific section governing SOC 1 reports is AT-C Section 320 — "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting." SSAE 18 sets the rules that CPA firms must follow when examining and opining on a service organization's controls.
What is the difference between SSAE 18 and SSAE 16?
SSAE 18 replaced SSAE 16 effective May 1, 2017, with three key changes: (1) it introduced an explicit risk-assessment requirement — the CPA must now identify and assess risks of material misstatement before designing their testing approach; (2) it enhanced subservice-organization monitoring requirements — the service auditor must evaluate whether the service organization adequately monitors its subservice providers' controls; (3) it reorganized the entire SSAE suite into a clarified AT-C format for consistency with other AICPA professional standards. The management assertion requirement introduced by SSAE 16 was carried forward unchanged.
Did SSAE 18 replace SAS 70?
Not directly. SSAE 16 replaced SAS 70 in June 2011, and then SSAE 18 replaced SSAE 16 in May 2017. The full evolution is SAS 70 (1992-2011) to SSAE 16 (2011-2017) to SSAE 18 (2017-present). SAS 70 was an auditing standard; SSAE 16 reframed the engagement as an attestation and introduced the management assertion; SSAE 18 added risk assessment and enhanced subservice monitoring. References to "SAS 70 reports" are outdated — the correct term for over a decade has been "SOC 1 report under SSAE 18."
What are the requirements of SSAE 18 for SOC 1?
AT-C Section 320 of SSAE 18 requires: (1) a management description of the service organization's system, prepared using the AICPA description criteria; (2) a written management assertion that the description is fairly presented and controls are suitably designed (and for Type 2, operating effectively); (3) the service auditor to perform a risk assessment before designing test procedures; (4) the service auditor to evaluate subservice-organization monitoring; (5) the service auditor to issue a report with their opinion, description of tests performed, and results. The report must distinguish between Type 1 (design only) and Type 2 (design plus operating effectiveness).
What is ISAE 3402 and how does it relate to SSAE 18?
ISAE 3402 is the international equivalent of SSAE 18, issued by the International Auditing and Assurance Standards Board (IAASB). It governs the same type of engagement — examining controls at a service organization relevant to user entities' financial reporting — but is used outside the United States. The two standards are substantially aligned in structure and requirements. Service organizations with both US and international user entities often issue dual reports that reference both SSAE 18 and ISAE 3402 to satisfy both audiences.
Who can issue a SOC 1 report under SSAE 18?
Only a licensed CPA firm can issue a SOC 1 report. The firm must be registered with a US state board of accountancy (or equivalent national body for ISAE 3402) and must be independent of the service organization — meaning the firm that performs the attestation cannot have designed, implemented, or operated the controls being examined. Consulting firms like Tranquility Cybersecurity help service organizations prepare for the examination, but the attestation opinion must come from an independent CPA firm.
What is the management description criteria under SSAE 18?
The AICPA description criteria require the system description to cover: (1) the types of services provided; (2) principal service commitments and system requirements; (3) the five components of the system — infrastructure, software, people, procedures, and data; (4) control objectives and the specific controls designed to achieve them; (5) complementary user entity controls (CUECs) that user entities must operate; and (6) complementary subservice organization controls (CSOCs) for any subservice providers. The description must be specific enough for user-entity auditors to evaluate the impact on their own financial-statement audits.
What changed with risk assessment in SSAE 18 compared to SSAE 16?
SSAE 16 did not include an explicit risk-assessment requirement for the service auditor. SSAE 18 requires the CPA to perform a risk assessment — identifying and evaluating the risks of material misstatement in the system description, the suitability of control design, and (for Type 2) operating effectiveness — before designing and executing test procedures. This means the CPA now tailors their testing based on assessed risk: higher-risk controls receive more extensive testing rather than a uniform flat sample across all controls.
What is the role of the PCAOB vs the AICPA in SOC 1 attestation?
The AICPA Auditing Standards Board issues SSAE 18, which governs SOC 1 attestation engagements. The PCAOB (Public Company Accounting Oversight Board) sets auditing standards for audits of public companies registered with the SEC. SOC 1 reports are attestation engagements — not audits of public companies — so they fall under AICPA standards, not PCAOB standards. However, when a user entity is a public company, their external auditor (who follows PCAOB standards for the financial-statement audit) will reference the SOC 1 report as part of their assessment of internal controls.
Can a SOC 1 report be issued under both SSAE 18 and ISAE 3402?
Yes. A dual report references both standards and satisfies both US and international user-entity auditors. The CPA firm issuing the report must be qualified under both frameworks — typically a global accounting firm or a US CPA firm with the appropriate credentials. The dual report follows the more stringent requirement where the two standards differ, which is a minimal concern since they are substantially aligned. Dual reporting is common for service organizations with a geographically diverse user-entity base.
Written By Expert Auditors
Keep Exploring
Related Reading
SOC 1 Knowledge Hub
Every SOC 1 guide — Type I vs II, ICFR controls, timelines, costs — in one place.
Read moreSOC 1 Type I vs Type II
Point-in-time design review vs period-of-time operating effectiveness.
Read moreSOC 1 vs SOC 2
ICFR financial controls vs security and trust — which one, or both.
Read moreICFR Controls Guide
The six ICFR control categories auditors test in a SOC 1 examination.
Read moreSOC 1 Cost Guide
What to budget for SOC 1 Type I and Type II — consulting + CPA fees.
Read moreSOC 1 Timeline
From scoping to CPA-attested report — phase-by-phase roadmap.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours