The Statement on Standards for Attestation Engagements Number 18 (SSAE 18) was issued by the AICPA for reporting on controls at a service organization. SSAE 18 supersedes the previous standard, SSAE 16. A service organization is considered any entity that provides a specific service for other entities. A user entity is any entity that outsources a task to a service organization. The application of SSAE 18 is specific to controls affecting the financial statements of a user entity and the resulting Service Organization Control 1 (SOC 1) report is not for general distribution. If your company requires a more general use report, please contact us regarding SOC 2 and SOC 3 reports and see the AICPA’s overview at:AICPA Overview
It is important to note that there are no SSAE 18 or SOC 1 certifications
There are two varieties of SOC 1 engagements
A Type 1 engagement, where the auditor reports on the fairness of the presentation of management’s description of the organization’s system and the suitability of the design of the controls to attain the related control objectives included in management’s description of controls as of a specific date. This report provides less assurance than a Type 2 report.
A Type 2 engagement includes Type 1 requirements and additionally requires the auditor to report on the operating effectiveness of the controls. This report provides greater assurance than a Type 1 report due to the testing of control effectiveness.