SSAE16 Has a Big Brother, Here’s What You Need To Know!

There are a lot of standards out there: HIPAA, PCI, and more. Adhering to these standards may seem costly or unnecessary, but it is vital to the security of your company and your customers. Here’s the scoop on SSAE16, now SSAE18.

Cyber security is more than just antivirus on your desktop, or firewall protecting your server. Data is valuable, so valuable in fact that people will pay millions to make sure it stays safe. It’s also valuable enough that the government will fine you if you fail to comply with certain regulations and standards.

One of these regulations is SSAE16 (now SSAE18). It stands for Statement on Standards for Attestation Engagements and is the replacement for SAS 70, which is the auditing standard under the Sarbanes-Oxley Act, or Public Company Accounting Reform and Investor Protection Act. Basically, it’s a set of regulations to ensure correct reporting of financial records of companies.

If you work with other companies that are publicly traded, or you are a service provider of some kind, you probably need to be audited. According to, “If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide a SOC 1 Type II Report, especially if the User Organization is publicly traded.”

SOC is the type of report created by the audit. There are 3 different types of SOCs or reports. The first, SOC 1, is the most common. According to, it’s “an engagement performed under SSAE16 in which a service auditor reports on controls at a service organization that may be relevant to user entities’ internal control over financial reporting.” You’ve probably seen or heard of SOC 1 Type 1, or Type 2. Here are the basic differences:

SOC 1 Type 1

This is the first type of report; it entails the details of the company’s control landscape at any given moment. In other words, it’s a snapshot of the day audited.

SOC 1 Type 2

This is similar to Type 1, except that instead of showing a screenshot it shows a pattern of the control landscape over a period of time, usually 6 months.


This report is also similar to SOC 1, but it deals with the specifics of the system’s security measures, availability, and processing integrity.


These reports are more for general use and are based on the WebTrust and SysTrust principles, which are criteria designed by the AICPA (American Institute of Certified Public Accountants) to promote trust among companies and their customers.

Recently, SSAE16 was updated to become SSAE18. The key differences to its predecessor include the classification of organizations to include subservice organizations. These are companies or groups that provide service to another organization. For example, if you are a customer of hosting Company A that uses Company B as it’s data center, then Company B is a subservice organization. Both A and B are required to conform to SSAE18 standards, but each has its own parameters.

Think you’re part of an organization who needs to comply with SSAE18 regulations? Learn more here!