Uncategorized

SSAE 18: The Attestation Standards Behind SOC Reports, AT-C Sections Explained

SSAE 18 is the AICPA attestation standard that sits behind every SOC 1, SOC 2, and SOC 3 report a CPA firm issues. Issued by the Auditing Standards Board in April 2016 and effective for reports dated on or after May 1, 2017, it clarified and recodified the prior attestation standards into a single set of AT-C sections. If you have ever read a service auditor’s report and wondered which professional standard the firm followed, the answer is almost always SSAE 18.

Key takeaways

  • SSAE 18, formally Statements on Standards for Attestation Engagements No. 18, recodified the attestation literature into the AT-C sections of the AICPA Professional Standards, replacing the old AT sections (AICPA SSAE No. 18, Attestation Standards: Clarification and Recodification).
  • AT-C 105 sets the concepts common to all attestation engagements, AT-C 205 governs examinations, AT-C 210 governs reviews, and AT-C 215 governs agreed-upon procedures (AICPA AT-C 105, 205, 210, 215).
  • AT-C 320 is the section that governs a service auditor’s report on controls at a service organization relevant to user entities’ internal control over financial reporting, which is the SOC 1 engagement (AICPA AT-C 320).
  • SOC 2 and SOC 3 examinations are performed under AT-C 105 and AT-C 205 against the AICPA Trust Services Criteria, not under AT-C 320 (AICPA AT-C 205; TSP Section 100).
  • SSAE 18 introduced an explicit requirement for the practitioner to obtain an understanding of, and assess, the risk of material misstatement, aligning attestation work more closely with the risk model used in financial statement audits (AICPA AT-C 205.13 through .15).

What is SSAE 18?

SSAE 18 is the eighteenth Statement on Standards for Attestation Engagements issued by the AICPA Auditing Standards Board. Its full title is Attestation Standards: Clarification and Recodification, and that title describes exactly what it did. Before SSAE 18, the attestation standards lived in the AT sections of the AICPA Professional Standards and had accumulated over decades through separate statements that used inconsistent language. SSAE 18 rewrote the entire body of guidance using the clarity drafting conventions the ASB had already applied to the audit standards, and it renumbered everything into the AT-C sections.

An attestation engagement is one in which a practitioner is engaged to issue a report on subject matter, or an assertion about subject matter, that is the responsibility of another party. That is broader than a financial statement audit. It covers reports on internal controls, compliance with laws and regulations, prospective financial information, management discussion and analysis, greenhouse gas emissions, and the SOC family of reports. SSAE 18 is the rulebook for all of it.

The structure is layered. AT-C 105 holds the concepts common to every attestation engagement: independence, professional skepticism, acceptance and continuance, and the three levels of service. The level-specific sections then build on that foundation. AT-C 205 covers examinations, which provide reasonable assurance. AT-C 210 covers reviews, which provide limited assurance. AT-C 215 covers agreed-upon procedures, which provide no assurance and report only findings. Finally, the subject-matter sections in the 300 series add requirements for specific engagement types, the most important of which is AT-C 320 for service organization controls reporting.

Why SSAE 18 matters

SSAE 18 matters because it is the legal and professional basis for the report that vendors hand to their customers’ auditors. When a SaaS company gives a prospective enterprise client a SOC 2 report, that report carries a CPA firm’s opinion, and that opinion exists only because the firm performed an examination under AT-C 105 and AT-C 205. Strip away the standard and the report is just a marketing document. The standard is what makes a service auditor’s opinion something a user entity’s auditor can rely on.

For the financial reporting supply chain, AT-C 320 reports are load bearing. A user entity that outsources payroll, claims processing, or transaction hosting cannot audit controls it does not operate. Its auditor relies on the service organization’s SOC 1 report to gain comfort over controls that affect the user’s financial statements. That reliance is governed on the user-auditor side by AU-C 402, and on the service-auditor side by AT-C 320. The two halves are designed to fit together.

SSAE 18 also raised the bar on rigor. The single most cited change is the new requirement that the practitioner perform a risk assessment, the same discipline an auditor applies under the financial statement audit standards. Before SSAE 18, attestation engagements did not carry an explicit, standalone risk-assessment requirement of this kind. After SSAE 18, the practitioner must identify and assess the risk of material misstatement and design procedures responsive to those risks. The change also tightened the rules on using the work of a separate party, including subservice organizations, which is why complementary subservice organization controls now appear in nearly every SOC report. To see how SOC fits the wider assurance picture, compare it with the choices in our guide to audit vs review vs compilation.

How SSAE 18 works (the requirements)

An attestation engagement under SSAE 18 runs through a defined sequence, and the requirements live across AT-C 105 and the level-specific section that applies.

Preconditions and acceptance (AT-C 105)

Before accepting an engagement, the practitioner must be independent, must be competent to perform the work, and must conclude that the subject matter is appropriate and capable of consistent measurement against suitable criteria (AT-C 105.24 through .27). Suitable criteria are criteria that are relevant, objective, measurable, and complete. For SOC 1 the criteria are the control objectives management defines and the description criteria. For SOC 2 and SOC 3 the criteria are the AICPA Trust Services Criteria. The practitioner also obtains an acknowledgment from the responsible party that it accepts responsibility for the subject matter or its assertion.

The three levels of service

SSAE 18 defines three levels, each with a different assurance outcome. An examination (AT-C 205) provides reasonable assurance and results in an opinion. A review (AT-C 210) provides limited assurance and results in a conclusion expressed as negative assurance. Agreed-upon procedures (AT-C 215) provide no assurance and result in a report of findings, with the specified parties taking responsibility for the sufficiency of the procedures. SOC 1, SOC 2, and SOC 3 reports are examinations and therefore live under AT-C 205.

Risk assessment and evidence (AT-C 205)

In an examination, the practitioner obtains an understanding of the subject matter and other engagement circumstances sufficient to identify and assess the risk of material misstatement and to design and perform procedures (AT-C 205.13 through .15). The practitioner gathers sufficient appropriate evidence, considers materiality, and exercises professional skepticism throughout. For a SOC report that means evaluating whether controls are suitably designed and, in a Type 2 report, testing whether they operated effectively over a period.

Type 1 versus Type 2

A Type 1 report opines on the fairness of the description and the suitability of the design of controls at a point in time. A Type 2 report adds an opinion on operating effectiveness over a period, usually six or twelve months, and includes the auditor’s tests of controls and the results. Type 2 is what most enterprise customers demand because design without operating evidence proves little. The distinction applies to both AT-C 320 SOC 1 work and AT-C 205 SOC 2 work.

The written representation and the report

The practitioner obtains written representations from the responsible party (AT-C 205.50 through .52), including that management has provided all relevant information and disclosed any known noncompliance. The engagement ends with a written report. For an examination the report contains an opinion on whether the subject matter is fairly stated, or whether the assertion is fairly stated, in all material respects against the criteria.

The SOC report family mapped to AT-C sections

Report Governing AT-C section Criteria Audience and use
SOC 1 AT-C 320 (built on AT-C 105 and 205) Management’s control objectives plus the description criteria for a service organization’s system Restricted to management of the service organization, user entities, and user auditors. Addresses controls relevant to user entities’ internal control over financial reporting.
SOC 2 AT-C 105 and AT-C 205 AICPA Trust Services Criteria (security, plus optionally availability, processing integrity, confidentiality, privacy) Restricted use, intended for parties with sufficient knowledge of the system, typically customers and their auditors and regulators.
SOC 3 AT-C 105 and AT-C 205 AICPA Trust Services Criteria General use. A short-form report with no detailed description of tests, suitable for public distribution and marketing.
Examination (general) AT-C 205 Any suitable criteria for the subject matter Reasonable assurance, opinion. The base examination engagement.
Review AT-C 210 Any suitable criteria for the subject matter Limited assurance, negative-assurance conclusion. Not used for SOC.
Agreed-upon procedures AT-C 215 Procedures agreed with specified parties No assurance, findings only. Specified parties take responsibility for procedure sufficiency.

The common misconception is that SOC 2 is governed by AT-C 320. It is not. AT-C 320 is the SOC 1 section, scoped to controls relevant to financial reporting. SOC 2 and SOC 3 are examinations under the general AT-C 205 framework measured against the Trust Services Criteria. For the full breakdown of how the three SOC reports differ, see our SOC 1 vs SOC 2 vs SOC 3 comparison.

Worked example: a SOC 2 Type 2 examination under SSAE 18

Assume CloudPayments Inc, a payments platform, engages a CPA firm to perform a SOC 2 Type 2 examination covering the security and availability criteria for the period January 1 to December 31, 2025. Here is how the engagement maps to the standard.

Acceptance (AT-C 105). The firm confirms independence, confirms competence in IT controls testing, and confirms that the Trust Services Criteria are suitable criteria for the subject matter. Management acknowledges responsibility for the description of the system and provides a written assertion. The engagement is accepted.

Scope and criteria. The subject matter is CloudPayments’ description of its system and the suitability of design and operating effectiveness of controls relevant to security and availability. The criteria are the relevant Trust Services Criteria. Because the engagement covers a period and includes operating effectiveness, it is a Type 2 examination under AT-C 205.

Risk assessment (AT-C 205.13 through .15). The firm obtains an understanding of CloudPayments’ system, identifies where controls could fail to meet the criteria, and assesses the risk of material misstatement in the description and the design and operation of controls. Higher-risk areas, such as logical access provisioning and change management, receive more extensive testing.

Subservice organizations. CloudPayments hosts its production environment on a third-party cloud provider. The firm and management elect the carve-out method, so the cloud provider’s controls are excluded from the description but the complementary subservice organization controls the user must assume are disclosed. This disclosure requirement is one of the practical effects of SSAE 18.

Testing. Over the period the firm tests a sample of access requests, change tickets, and availability monitoring records. Suppose the firm finds that two of forty terminated-employee access removals exceeded the company’s stated 24-hour window. The firm evaluates whether the exception is a deviation that affects the opinion.

Representations and report (AT-C 205.50 through .52). Management signs written representations. The firm issues a Type 2 report containing the description, management’s assertion, the auditor’s opinion, and the detailed tests of controls and results, including the disclosed exceptions. If the deviations are isolated and compensating controls exist, the opinion can still be unqualified, with the exceptions disclosed in the results section so users can judge for themselves.

The output is the SOC 2 report CloudPayments sends to prospective enterprise customers. To see what an organization actually goes through to get there, read our SOC 2 audit guide.

Recent changes (effective dates, superseding standards)

SSAE 18 itself was effective for practitioners’ reports dated on or after May 1, 2017. It remains the governing recodification. The changes since then have come through later SSAEs and through updates to the criteria, not through a wholesale replacement of SSAE 18.

The takeaway is that SSAE 18 is stable as the recodified standard, while the criteria it measures against, especially the Trust Services Criteria, evolve on their own schedule.

Common pitfalls under this standard

Frequently asked questions

What is the difference between SSAE 18 and SSAE 16?
SSAE 16 was the prior service-organization standard, codified at AT Section 801. SSAE 18 replaced it as part of the 2016 recodification, moving service-organization reporting into AT-C 320 and folding the common concepts into AT-C 105 and AT-C 205. People who still say SAS 70 or SSAE 16 are usually referring to what is now a SOC 1 examination under SSAE 18.
Is SOC 2 performed under AT-C 320?
No. AT-C 320 governs SOC 1, which addresses controls relevant to user entities’ internal control over financial reporting. SOC 2 and SOC 3 are examinations under AT-C 105 and AT-C 205 measured against the AICPA Trust Services Criteria.
What is the difference between an examination, a review, and agreed-upon procedures?
An examination (AT-C 205) provides reasonable assurance and results in an opinion. A review (AT-C 210) provides limited assurance and results in a negative-assurance conclusion. Agreed-upon procedures (AT-C 215) provide no assurance and report only findings, with the specified parties responsible for the sufficiency of the procedures.
What are complementary user entity controls?
They are controls the service organization assumes the user entity has implemented for the relevant control objectives to be met. Under AT-C 320 these are disclosed in the report. The service auditor’s opinion is formed on the premise that these user-side controls operate.
What is the difference between the carve-out and inclusive methods for subservice organizations?
Under the carve-out method, the subservice organization’s controls are excluded from the description and the complementary subservice organization controls are disclosed. Under the inclusive method, the subservice organization’s relevant controls are included in the description and tested. AT-C 320 permits both, and management chooses with the practitioner.
How long is the period covered by a Type 2 report?
It is set by management and the user community, but six or twelve months is standard. A Type 2 report opines on operating effectiveness over that period, so the period must be long enough for the controls to have operated and for the auditor to gather sufficient evidence under AT-C 205.
Does SSAE 18 require independence?
Yes. AT-C 105 requires the practitioner to be independent for examination and review engagements, consistent with the AICPA Code of Professional Conduct. Agreed-upon procedures engagements also generally require independence unless an applicable rule provides otherwise.
Can a SOC report opinion be qualified?
Yes. If the description is not fairly presented, controls are not suitably designed, or, in a Type 2, controls did not operate effectively, the practitioner modifies the opinion. The report still discloses the tests and results so users can evaluate the effect of the matters giving rise to the qualification.

Bottom line

SSAE 18 recodified the attestation standards into the AT-C sections and is the professional basis for every SOC report a CPA firm issues. AT-C 105 sets the common concepts, AT-C 205 governs examinations including SOC 2 and SOC 3, and AT-C 320 governs SOC 1. The most consequential thing it added was an explicit risk-assessment requirement, which is why modern SOC engagements look much more like audits than the old SAS 70 work ever did.

Sources and methodology

AICPA Statement on Standards for Attestation Engagements No. 18, Attestation Standards: Clarification and Recodification, including AT-C Section 105 (concepts common to all attestation engagements), AT-C 205 (examination engagements, including .13 through .15 on risk assessment and .50 through .52 on written representations), AT-C 210 (review engagements), AT-C 215 (agreed-upon procedures), and AT-C 320 (reporting on controls at a service organization). SSAE No. 19 amending AT-C 215, and SSAE Nos. 20 and 21 conforming amendments. AICPA TSP Section 100 Trust Services Criteria for SOC 2 and SOC 3, and the AICPA SOC 1 description criteria. AU-C 402 on the user auditor’s consideration of service organizations is the companion standard on the user-auditor side. See also our learn hub, the SOC 2 audit guide, the SOC 1 vs SOC 2 vs SOC 3 comparison, and the audit vs review vs compilation explainer.