Learn · Attestation Standards
SSAE 18 vs
SSAE 21
Short answer: SSAE 21 did not replace SSAE 18 for SOC 1. SOC 1 examinations still run under AT-C section 320 — the section SSAE 18 created — while SSAE 19 through 23 amended the sections around it. Here is the whole lineage, with effective dates.
Current as of July 2026: a SOC 1 is performed under AT-C 105 + AT-C 205 (as revised by SSAE 21) + AT-C 320 (from SSAE 18), with SSAE 23’s quality-management amendments in force for engagements beginning on or after December 15, 2025.
Plain-English explainer · Effective dates verified against AICPA issuances · Last reviewed July 2026
SSAE 18 is still the standard a SOC 1 report traces back to in 2026 — SSAE 21 did not supersede it for SOC 1. The confusion is understandable: the AICPA has issued five further SSAEs since SSAE 18, and one of them (SSAE 21) really did supersede a section SOC engagements use. But the attestation standards are modular. SSAE 18’s lasting contribution was recodifying everything into the AT-C sections — AT-C 320 being the SOC 1-specific one — and later SSAEs amend individual sections rather than replacing the whole framework. SSAE 21 revised AT-C 205 (assertion-based examinations) and added direct examinations (AT-C 206); AT-C 320 itself was untouched. So the technically precise phrasing auditors use today is that a SOC 1 examination is conducted “in accordance with attestation standards established by the AICPA” — colloquially, it is still “an SSAE 18 report.”
The Lineage
Every SSAE Since 2016, and What It Changed
| Standard | What it did | Effective | Impact on SOC 1 |
|---|---|---|---|
| SSAE 18 | Clarification & recodification of all US attestation standards into the AT-C sections — including AT-C 320, which governs SOC 1. Added risk assessment and stricter subservice-organization and evidence requirements. | Reports dated on or after May 1, 2017 | Foundation — SOC 1 runs on its AT-C 320 to this day. |
| SSAE 19 | Rewrote agreed-upon procedures (AUP) engagements (AT-C section 215): no more required party-responsibility assertions; procedures can be developed during the engagement. | AUP reports dated on or after July 15, 2021 | None for SOC 1/SOC 2 — AUPs are a different engagement type. |
| SSAE 20 | Amended the description of materiality in AT-C 205/210 for consistency with the SEC, PCAOB, FASB, and US judicial usage. | Examination/review reports dated on or after December 15, 2020 | Terminology only — no change to how SOC 1 examinations are scoped or tested. |
| SSAE 21 | Created direct examination engagements (new AT-C section 206) and superseded AT-C 205 with a revised “Assertion-Based Examination Engagements” section; amended AT-C 105 terminology. | Reports dated on or after June 15, 2022 | SOC 1 and SOC 2 remain assertion-based examinations under the revised AT-C 205 + AT-C 320. SSAE 21 did NOT replace SSAE 18 for SOC 1. |
| SSAE 22 | Superseded AT-C section 210, Review Engagements. | Review reports dated on or after June 15, 2022 | None — SOC engagements are examinations, not reviews. |
| SSAE 23 | Amended AT-C 105 (and conforming changes across SSAE 19/21/22) to align the attestation standards with the AICPA’s new quality-management standards (SQMS No. 1). | Engagements beginning on or after December 15, 2025 | In force for new SOC engagements since December 2025 — firm-level quality management, not a change to SOC 1 subject matter. |
Effective dates as issued by the AICPA Auditing Standards Board; early implementation was permitted for several of these standards.
What Changed in Practice
What SSAE 21 and SSAE 23 Mean For You
If you hold or are pursuing a SOC 1: nothing about your control objectives, system description, or testing changed because of SSAE 21. Its headline feature — the direct examination (AT-C 206), where the CPA examines subject matter without a management assertion — is a new engagement type that SOC 1 and SOC 2 do not use. Both remain assertion-based examinations: management still writes the assertion, and the AT-C 320 description requirements still apply unchanged.
SSAE 23 is the one worth asking your CPA firm about. For engagements beginning on or after December 15, 2025, attestation engagements fall under the AICPA’s quality-management regime (SQMS No. 1): the firm must run a risk-based system of quality management over its attestation practice. It doesn’t change what your SOC 1 covers, but it is a fair diligence question when selecting a CPA firm — and a sign a report is current when the engagement letter references it.
If a vendor hands you a report badged “SSAE 16”: that standard was superseded in May 2017. A current report should reference the AICPA attestation standards (colloquially SSAE 18) and, for international use, ISAE 3402. A stale badge usually just means stale boilerplate — but it warrants a question.
SSAE 18 vs 21 — Common Questions
Which standard is current, and what actually changed.
Is SSAE 18 still the current standard for SOC 1 in 2026?
Functionally yes. SOC 1 examinations are still performed under AT-C section 320, which SSAE 18 created (effective May 1, 2017). Later SSAEs — 19, 20, 21, 22, and 23 — amended the surrounding sections (AUPs, materiality wording, assertion-based examinations, reviews, and quality management) without replacing AT-C 320. The formally precise citation is “attestation standards established by the AICPA”; “SSAE 18 report” remains the accepted colloquial label.
Did SSAE 21 replace SSAE 18?
No. SSAE 21 (effective for reports dated on or after June 15, 2022) superseded one section — AT-C 205, reissued as “Assertion-Based Examination Engagements” — and added AT-C 206 for the new direct examination engagement. It did not supersede SSAE 18 as a whole and did not change AT-C 320, the SOC 1 section. SOC 1 and SOC 2 continue as assertion-based examinations.
What is SSAE 23 and when did it take effect?
SSAE 23, issued in June 2024, amends AT-C 105 (with conforming amendments to SSAEs 19, 21, and 22) to align the attestation standards with the AICPA’s quality-management standards, notably SQMS No. 1. It is effective for engagements beginning on or after December 15, 2025 — so it applies to SOC engagements starting from that date. It governs firm-level quality management rather than changing SOC 1 subject-matter requirements.
Is SOC 2 also performed under SSAE 18?
SOC 2 uses the same foundation — AT-C 105 and AT-C 205 (as revised by SSAE 21) — but not AT-C 320. Instead of management-defined control objectives, SOC 2 evaluates controls against the AICPA’s Trust Services Criteria, with the description prepared against the DC section 200 description criteria. So “SSAE 18” is loosely used for both, but only SOC 1 runs on AT-C 320.
What was SSAE 16, and why do people still mention it?
SSAE 16 governed SOC 1 from June 2011 until SSAE 18 superseded it for reports dated on or after May 1, 2017. It replaced the even older SAS 70. The name stuck commercially — some vendors still say “SSAE 16 audit” out of habit — but no current report should be issued under it.
Should my report say SSAE 18 or AT-C 320?
The service auditor’s opinion typically states the examination was conducted “in accordance with attestation standards established by the AICPA” — the standards themselves, not a statement number. AT-C 320 is the codified section that examination follows; SSAE 18 is the statement that created it. Marketing one-liners like “SSAE 18 (AT-C 320) / ISAE 3402” are accurate and widely used.
Related reading: the Learn hub, what AT-C section 320 requires, our full SSAE 18 guide, SOC 1 Type 1 vs Type 2, and SOC 1 services. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours