SAS 70, SSAE 16, SSA18 and SOC Comparison


What does SAS 70 stand for?

What does SSAE 16 stand for?


What is SOC?


What is SOC 2?


What is a SOC3 Report?


Everything you Need to Know about SAS70 Reports


Everything you Need to Know about SSAE 16


Why was SSAE 16 Needed?


SSAE 16 Vs. SAS70




SSAE 18 Definition


What is the difference between SSAE16 and SSAE18?


What are the key SSAE16 to SSAE18 Changes


The Complete Guide to SAS 70, SSAE 16, SSA18, and SOC Comparisons

What does SAS 70 stand for?

SAS 70 stands for Statement on Auditing Standards No. 70 and is classified as a particular standard of authority which was developed and designed by the American Institute of Certified Public Accountants (AICPA).

What does SSAE 16 stand for?

It was in 2011 that the Statement of Standards for Attestation Engagements No. 16 (SSAE 16), replaced SAS70 and became the new authoritative standard for service organization audits.

Accounting Services SOC Reports

What is SOC?

The American Institute of Certified Public Accountants introduced the new reporting framework for their practitioners, otherwise known as Service Organization Controls (SOC). This enabled practitioners to deliver alternative reporting types depending upon the individual requirements of their stakeholders and their organization.

SSAE16 offers three different reporting options, these are known as Soc1, Soc2, and Soc3 reports.


SOC1 reports deal with financial data.

SOC2 reports deal with non-financial data. For instance, it provides service providers in the data sector a simplified way to demonstrate their safeguarding controls and ensures that the information they hold is easily and readily accessible.

SOC 1 Explained

A SOC1 report is basically the same as a sas 70 report, with just a few minor differences.

It provides control internally over financial reporting and is restricted to User Entities and Auditor Entities. There are two different report types.

Type 1 – This outlines the management’s description of the system, along with its specific design and its ability to adhere to the multitude of control measures that are in place at a specific point in time.

Type 2 – This outlines the management’s description of the system, along with its specific design and its ability to adhere to the multitude of control measures that are in place over a defined time period.

What is SOC 2?

A SOC2 report is said to be a superior report for service providers when compared side-by-side with SOC1. It reports on relevant controls in line with the trust principals and criteria. The framework for a SOC2 report is based on a range of criteria categories and trust principals.

Criteria Categories: Communications, Monitoring, Policies, and Procedures.

Principals: Confidentiality, Availability, Security, Privacy, and Processing Integrity.

In order for any organization to become SOC2 certified, they need to undergo a rigorous process of auditing that is carried out by an independent body. If a company is going to handle data that is classified under PHI or governed by any laws such as HIPAA, this is an essential requirement and proves that a company meets with specific compilatory requirements.

What is a SOC3 Report?

A SOC3 report provides a certification level for data centers and is usually for general use. It provides a level of assurance to users of high-availability, security at the facility, and the integrity of the data processing.

Although a SOC2 report is inclusive of service auditor testing and provides results, a SOC3 report will only provide a description of the system along with the opinion of the auditor.

Outsourcing & Security Measures

Everything you Need to Know about SAS70 Reports

SAS70 was first introduced in 1992 when the act of outsourcing was a new practice, and many organizations retained much of their data processing and IT internally. Despite the fact that there were limited tasks being outsourced at that point, there were concerns raised about the standards and practices of third-party agencies. Specifically, the issues raised were linked directly to how such processes could have impacted the yearly financials of the companies who were affected.

SAS70 served to help auditors who worked externally to a business, to organize assessments of their customer’s financial statements where third-party agencies were used for financial transaction reporting and processing services. SAS70 clarified the auditing needs and enabled the external auditor’s review and test the controls which were in place within these third-party agencies more quickly and more thoroughly.

As outsourcing became a more common occurrence, and more organizations depended on third-party agencies for essential business processes such as manufacturing, payroll, and order fulfilment services; and with the rise in popularity of technology-based innovations such as SaaS and other cloud services, SAS70 was continually being adapted and used for purposes to which it was not originally intended.

As a result of this, there became a need for a more robust framework and better standards of governance. The NIST 800 series and ISO 27000 were since developed in order to address the growing needs for security and assurance within service organizations.

SAS70 outlines the precise standards of which any service or independent auditor should employ to access the stated contractual controls that exist internally within a service organization. These controls also included those which relate specifically to IT and any other associated processes. The elected auditor would then outline the description of such controls in the format of a Service Audit Report.

The SAS70 compliance standards were initially purposed to simplify the criteria used for auditing standards that were initially in place through the SAS 55 standards.

SAS70 audits were essential to particular service organizations, some of which included insurance claims processors, hosted data centres, and credit processing organizations due to the fact that these businesses deliver outsourcing services which can impact the operations of their customers; and because of this, they need to verify their internal controls specifically around the subject of data management.  Since June 2015, SAS70 attestations were no longer issued.


Enhance your IT with a full IT Management Suite that can be customized for any system.

Our team is standing by and ready to assist you.

Everything you Need to Know about SSAE 16

The SSAE 16 regulation was developed by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The purpose of the SSAE 16 standard was to redefine and update reporting for service organizations in relation to their compilatory controls.

This reporting standard has been in place since June 2011 and was preceded by SAS70.

Why Was SSAE 16 Needed?

The change from SAS70 to SSAE was needed for a number of key reasons.

  1. Steep increase in the number of service providers
  2. Increasing complexity of the services which were being outsourced to third-party agencies
  3. Widespread adoption of cloud computing and cloud-based services
  4. Demand for a clearer understanding of service provider controls and a better way to demonstrate compliance and standards
  5. A need for a clear assurance of risk mitigation

Regulation compliance - IT COmpany

SSAE16 Vs. SAS70

One of the fundamental differences between SSAE16 and SAS 70 is that SSAE 16 requires the service company’s management to provide a documented assertion to an auditor that the outline of the description that is provided is an accurate representation of their organizational systems.

This description outlines the services the organization provide along with all of the operational activities which could impact the customers of that service. Additionally, the organization also needs to ensure that their description honestly outlines any control objectives along with the specific time period within which they are intended to be evaluated.

SSAE16 verifies processes and controls and requires a written assertion statement that addresses design and operational effectiveness.

Once an SSAE16 audit occurs, a Service Organization Control (SOC) 1 report is produced.

A SOC1, type 1 report is focused on the accuracy and completeness of the design of the system, controls, and/or service that is provided by the data center.

A SOC1, type 2 report is inclusive of all data contained within a SOC1 Type 1 report, along with an additional audit on the effectiveness of any such controls over a specific period of time that is typically between 6-12 months.

SOC2 and SOC3 reports offer pre-defined, standardized bench-marking for controls that specifically review the availability, security, confidentiality, processing integrity, or privacy of a system and its data.

SAS70 is known as the ‘old standard’, which was never designed for specific organizations who may offer services such as cloud hosting, collocation, or managed dedicated servers. When SAS70 was designed, it was done so in order to provide auditors with data and verifiable information regarding data center processes and controls in that it relates to the user of the data center, and their financial reporting only.

As SAS70 report/audit does not set standards, it only verifies that the processes and controls they have in place are adhered to. There is no certification process for SAS70; it is merely a process of auditing.

Additional Reading:


In 2017, the American Institute of Certified Public Accountants replaced SSAE16 with a new standard, known as SSAE18. These changes have been introduced in order to address concerns around other AICPA standards and provide further clarity on the subject.

SSAE 18 Definition

The Statement on Standards for Attestation Engagements No. 18 or SSAE18 standard determines requirements and delivers application direction to auditing personnel for undertaking and subsequent reporting on inspection, review, and procedural engagements which may also include SOC attestations.

SSAE 18 is a replacement for the SSAE 16 standards. It is not a certification path, and it is not possible to become SSAE 18 certified. It is simply the name of the standard that is utilized by auditors to undertake a range of attestation reports.

What is the difference between SSAE16 and SSAE18?

Before explaining more about SSAE 18 specifics, it is important to mention that the new SSAE18 standards are a combination of previous SSAEs which were otherwise unrelated to SSAE16.

SSAE16 directly relates to SOC1 reports that dealt with service organizations specific controls which impacted upon the financial reporting of those service organizations clients.

SSAE18 deals with a multitude of attestation reports, not solely SOC1 reports.

While many people mistakenly refer to SSAE16 as SOC1 reports, the introduction of SSAE18 means that there are now even more reports that can be produced under the same SSAE heading. As such, it is important to understand that ‘SSAE’ is the standard that is used to produce a report, and each report carries its own set of data and therefore has its own identity.

Find Details about our Security Services>>

Learn More about Technology Solutions>>

What are the key SSAE16 to SSAE18 Changes

If you are reading a SOC report that has been written using the new SSAE18 standards, then there are a number of key changes to note. These changes specifically relate to the wat that service organizations manage their respective subservice entities.

A Service Organization is the entity that delivers the services. For instance, the provider of payroll processing, collocation, or cloud-based hosting services.

A Subservice Organization is a layer deeper than a service organization. It is a service organization which is used the originating service organization in order to provide services. For instance, if your cloud-based hosting provider uses another company’s data centers to host their servers, then the organization who owns those data centers then becomes a subservice organization.

The SSAE18 standard directly addresses the need for the disclosure of any relationships that fit within this criterion.  According to the new SSAE18 standards, a service organization should:

Outline and detail any subservice organizations that are utilized in order to provide services.

Provide a full outline of any subservice organizational controls which the core service organization is dependent on in order to provide the primary services of their business to clients. These are referred to as Complementary Subservice Organizational Controls.

SSAE18 also outlines that any service organization will need to provide the auditor with a documented risk assessment which outlines the internal risks of the organization. The purpose of doing this, is to ensure the any of the service organization’s controls are routinely reviewed, and that they appropriately address the risks along with offering risk mitigation.

The final point of change from SSAE16 to SSAE18 relates to the monitoring of controls within the subservice organizations. It is no longer deemed appropriate to assess these during the initial vetting process and then not to conduct any further or future checks. SSAE18 requires the following:

  1. The service organization must put controls in place that monitor the effectiveness of any respective controls within a subservice organization.
  2. The auditor needs to report back on the service organizations controls that are put in place to monitor the subservice organization.

Any future SOC or other attestation reports should now be produced in accordance with SSAE18 standards.