Skip to main contentChat with us

Learn · Attestation Standards

SSAE 18 vs
SSAE 21

Short answer: SSAE 21 did not replace SSAE 18 for SOC 1. SOC 1 examinations still run under AT-C section 320 — the section SSAE 18 created — while SSAE 19 through 23 amended the sections around it. Here is the whole lineage, with effective dates.

Current as of July 2026: a SOC 1 is performed under AT-C 105 + AT-C 205 (as revised by SSAE 21) + AT-C 320 (from SSAE 18), with SSAE 23’s quality-management amendments in force for engagements beginning on or after December 15, 2025.

6SSAEs issued since 2016: 18–23
§320unchanged for SOC 1 since 2017
Dec 2025SSAE 23 in force

Plain-English explainer · Effective dates verified against AICPA issuances · Last reviewed July 2026

SSAE 18 is still the standard a SOC 1 report traces back to in 2026 — SSAE 21 did not supersede it for SOC 1. The confusion is understandable: the AICPA has issued five further SSAEs since SSAE 18, and one of them (SSAE 21) really did supersede a section SOC engagements use. But the attestation standards are modular. SSAE 18’s lasting contribution was recodifying everything into the AT-C sections — AT-C 320 being the SOC 1-specific one — and later SSAEs amend individual sections rather than replacing the whole framework. SSAE 21 revised AT-C 205 (assertion-based examinations) and added direct examinations (AT-C 206); AT-C 320 itself was untouched. So the technically precise phrasing auditors use today is that a SOC 1 examination is conducted “in accordance with attestation standards established by the AICPA” — colloquially, it is still “an SSAE 18 report.”

The Lineage

Every SSAE Since 2016, and What It Changed

StandardWhat it didEffectiveImpact on SOC 1
SSAE 18Clarification & recodification of all US attestation standards into the AT-C sections — including AT-C 320, which governs SOC 1. Added risk assessment and stricter subservice-organization and evidence requirements.Reports dated on or after May 1, 2017Foundation — SOC 1 runs on its AT-C 320 to this day.
SSAE 19Rewrote agreed-upon procedures (AUP) engagements (AT-C section 215): no more required party-responsibility assertions; procedures can be developed during the engagement.AUP reports dated on or after July 15, 2021None for SOC 1/SOC 2 — AUPs are a different engagement type.
SSAE 20Amended the description of materiality in AT-C 205/210 for consistency with the SEC, PCAOB, FASB, and US judicial usage.Examination/review reports dated on or after December 15, 2020Terminology only — no change to how SOC 1 examinations are scoped or tested.
SSAE 21Created direct examination engagements (new AT-C section 206) and superseded AT-C 205 with a revised “Assertion-Based Examination Engagements” section; amended AT-C 105 terminology.Reports dated on or after June 15, 2022SOC 1 and SOC 2 remain assertion-based examinations under the revised AT-C 205 + AT-C 320. SSAE 21 did NOT replace SSAE 18 for SOC 1.
SSAE 22Superseded AT-C section 210, Review Engagements.Review reports dated on or after June 15, 2022None — SOC engagements are examinations, not reviews.
SSAE 23Amended AT-C 105 (and conforming changes across SSAE 19/21/22) to align the attestation standards with the AICPA’s new quality-management standards (SQMS No. 1).Engagements beginning on or after December 15, 2025In force for new SOC engagements since December 2025 — firm-level quality management, not a change to SOC 1 subject matter.

Effective dates as issued by the AICPA Auditing Standards Board; early implementation was permitted for several of these standards.

What Changed in Practice

What SSAE 21 and SSAE 23 Mean For You

If you hold or are pursuing a SOC 1: nothing about your control objectives, system description, or testing changed because of SSAE 21. Its headline feature — the direct examination (AT-C 206), where the CPA examines subject matter without a management assertion — is a new engagement type that SOC 1 and SOC 2 do not use. Both remain assertion-based examinations: management still writes the assertion, and the AT-C 320 description requirements still apply unchanged.

SSAE 23 is the one worth asking your CPA firm about. For engagements beginning on or after December 15, 2025, attestation engagements fall under the AICPA’s quality-management regime (SQMS No. 1): the firm must run a risk-based system of quality management over its attestation practice. It doesn’t change what your SOC 1 covers, but it is a fair diligence question when selecting a CPA firm — and a sign a report is current when the engagement letter references it.

If a vendor hands you a report badged “SSAE 16”: that standard was superseded in May 2017. A current report should reference the AICPA attestation standards (colloquially SSAE 18) and, for international use, ISAE 3402. A stale badge usually just means stale boilerplate — but it warrants a question.

SSAE 18 vs 21 — Common Questions

Which standard is current, and what actually changed.

Is SSAE 18 still the current standard for SOC 1 in 2026?

Functionally yes. SOC 1 examinations are still performed under AT-C section 320, which SSAE 18 created (effective May 1, 2017). Later SSAEs — 19, 20, 21, 22, and 23 — amended the surrounding sections (AUPs, materiality wording, assertion-based examinations, reviews, and quality management) without replacing AT-C 320. The formally precise citation is “attestation standards established by the AICPA”; “SSAE 18 report” remains the accepted colloquial label.

Did SSAE 21 replace SSAE 18?

No. SSAE 21 (effective for reports dated on or after June 15, 2022) superseded one section — AT-C 205, reissued as “Assertion-Based Examination Engagements” — and added AT-C 206 for the new direct examination engagement. It did not supersede SSAE 18 as a whole and did not change AT-C 320, the SOC 1 section. SOC 1 and SOC 2 continue as assertion-based examinations.

What is SSAE 23 and when did it take effect?

SSAE 23, issued in June 2024, amends AT-C 105 (with conforming amendments to SSAEs 19, 21, and 22) to align the attestation standards with the AICPA’s quality-management standards, notably SQMS No. 1. It is effective for engagements beginning on or after December 15, 2025 — so it applies to SOC engagements starting from that date. It governs firm-level quality management rather than changing SOC 1 subject-matter requirements.

Is SOC 2 also performed under SSAE 18?

SOC 2 uses the same foundation — AT-C 105 and AT-C 205 (as revised by SSAE 21) — but not AT-C 320. Instead of management-defined control objectives, SOC 2 evaluates controls against the AICPA’s Trust Services Criteria, with the description prepared against the DC section 200 description criteria. So “SSAE 18” is loosely used for both, but only SOC 1 runs on AT-C 320.

What was SSAE 16, and why do people still mention it?

SSAE 16 governed SOC 1 from June 2011 until SSAE 18 superseded it for reports dated on or after May 1, 2017. It replaced the even older SAS 70. The name stuck commercially — some vendors still say “SSAE 16 audit” out of habit — but no current report should be issued under it.

Should my report say SSAE 18 or AT-C 320?

The service auditor’s opinion typically states the examination was conducted “in accordance with attestation standards established by the AICPA” — the standards themselves, not a statement number. AT-C 320 is the codified section that examination follows; SSAE 18 is the statement that created it. Marketing one-liners like “SSAE 18 (AT-C 320) / ISAE 3402” are accurate and widely used.

Related reading: the Learn hub, what AT-C section 320 requires, our full SSAE 18 guide, SOC 1 Type 1 vs Type 2, and SOC 1 services. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations