What Makes a Company SSAE 18 Compliant?

To become SSAE 18 compliant, a company, typically a service organization, must undergo a thorough audit conducted by an independent Certified Public Accountant (CPA) or auditing firm. This audit assesses various aspects of the company’s systems and processes to ensure they meet the standards set by SSAE 18. Here are the key steps and components that make a company SSAE 18 compliant:

The 12 Key Steps

  1. Understand the Scope of the Audit: The company needs to determine which type of Service Organization Control (SOC) report is applicable. SOC 1 reports are most relevant for SSAE 18, focusing on financial reporting controls.
  2. Select the Type of SOC 1 Report: Decide between a Type I report, which assesses the design of controls at a specific point in time, or a Type II report, which evaluates the effectiveness of these controls over a period (usually a minimum of six months).
  3. Engage an Independent Auditor: Hire a qualified CPA or an auditing firm with experience in conducting SSAE 18 audits.
  4. Conduct a Readiness Assessment: Before the formal audit, perform a readiness assessment to identify any potential gaps or weaknesses in the control environment.
  5. Documentation of Controls and Processes: The company must thoroughly document its internal controls and processes relevant to the services provided. This includes information on how these controls are designed and operated.
  6. Implement Controls for Subservice Organizations: If the company uses subservice organizations (vendors or third-party service providers), it must ensure that these entities also have appropriate controls in place.
  7. Management’s Written Assertion: As part of the audit, the company’s management must provide a written assertion. This statement declares that the controls are suitably designed (and operational in the case of a Type II report) and that the system description accurately reflects the service organization’s system.
  8. Risk Assessment and Addressing Identified Gaps: Conduct a comprehensive risk assessment of the control environment. Any identified gaps or weaknesses must be addressed before the audit.
  9. Undergo the SSAE 18 Audit: The independent auditor will review the company’s system and controls, assessing their design and operational effectiveness (in the case of a Type II report).
  10. Remediation of Issues: If the auditor identifies any issues, the company must remediate these issues in a timely manner.
  11. Obtain the Auditor’s Report: After the audit, the auditor will provide a report on the company’s controls. This report is critical for demonstrating SSAE 18 compliance to clients and stakeholders.
  12. Continuous Monitoring and Improvement: SSAE 18 compliance is not a one-time event. The company should continuously monitor its control environment and make improvements where necessary to ensure ongoing compliance.


Becoming SSAE 18 compliant is an indication that a company has a strong commitment to maintaining a secure and reliable control environment, which is crucial for their clients, especially those in industries where financial reporting accuracy is paramount. It demonstrates to clients and stakeholders that the company is serious about protecting the integrity and confidentiality of the information it handles.

Comments are closed.