SSAE 18 audit: A checklist

8 min read

SSAE 18 audits represent the gold standard for demonstrating control effectiveness to customers, partners, and regulatory stakeholders. These examinations, conducted under the American Institute of CPAs' Statement on Standards for Attestation Engagements No. 18, provide independent assurance over your organization's internal controls through SOC 1 and SOC 2 reports.

The framework addresses two primary use cases: SOC 1 examinations focus on controls relevant to financial reporting for organizations like payroll processors or benefit plan administrators, while SOC 2 examinations evaluate controls across security, availability, processing integrity, confidentiality, and privacy for technology-enabled service providers. Both types deliver credible, third-party validation that your controls are appropriately designed and operating effectively.

Success in an SSAE 18 audit requires careful planning, thorough documentation, and sustained operational discipline. The examination process involves extensive evidence gathering, control testing over specified periods, and detailed reporting that becomes a cornerstone of your compliance program. Organizations typically invest 6-12 months preparing for their first Type 2 examination, with ongoing annual renewals requiring continuous attention to control maintenance and evidence collection.

Strategic considerations for examination success

Choose the right examination type based on stakeholder needs. SOC 1 reports serve customers whose auditors need assurance over controls affecting financial statement assertions, while SOC 2 reports address broader operational and security concerns. Type 1 examinations evaluate control design at a point in time, making them suitable for newly implemented systems or interim assessments. Type 2 examinations test both design and operating effectiveness over 3-12 months, providing the comprehensive assurance most customers expect. Your choice impacts audit scope, timeline, and the level of operational evidence required.

Define scope boundaries early and precisely. The Trust Services Criteria for SOC 2 include five categories: security (always required), availability, processing integrity, confidentiality, and privacy. Select only the categories that align with your service commitments to customers—unnecessary scope expansion increases audit complexity and costs without adding value. For organizations using subservice providers, decide between inclusive and carve-out approaches. Inclusive methods require testing your monitoring of subservice organizations, while carve-out approaches limit scope but require clear documentation of complementary subservice organization controls.

Invest in robust evidence collection systems. Modern SSAE 18 audits rely heavily on automated evidence gathering from cloud platforms, identity providers, and development tools. API integrations with AWS, Azure, Okta, GitHub, and similar systems can streamline evidence collection and enable continuous control monitoring. However, automation platforms complement but don't replace the auditor's independent testing procedures. Ensure your evidence collection approach provides sufficient, appropriate support for each control objective while maintaining clear audit trails.

Plan for subservice organization complexity. Most organizations rely on cloud providers, software vendors, and other service providers that affect control environments. Document these relationships clearly in your system description, identifying which controls you perform directly versus those you rely on subservice organizations to execute. Complementary User Entity Controls (CUECs) and Complementary Subservice Organization Controls (CSOCs) must be explicitly addressed in your control design and testing approach.

Prepare comprehensive system descriptions that meet AICPA criteria. Your system description serves as the foundation for the entire examination, detailing service commitments, system components, control objectives, and relevant policies. The AICPA's Description Criteria (DC-200) require specific disclosures about incidents, changes, and subservice organizations during the examination period. Invest time in creating accurate, complete descriptions that auditors can use to understand your environment and plan their testing procedures effectively.

Your examination readiness checklist

Pre-engagement planning

  • Select qualified CPA firm with relevant industry experience
  • Determine SOC 1 vs. SOC 2 based on customer requirements
  • Choose Type 1 (design only) or Type 2 (design and operating effectiveness)
  • Define examination period (typically 6-12 months for Type 2)
  • Map service commitments to Trust Services Criteria categories
  • Identify all subservice organizations and determine inclusive vs. carve-out approach

System description preparation

  • Document service commitments and system requirements per DC-200
  • Describe system boundaries, components, and data flows
  • Identify and document all relevant subservice organizations
  • Prepare complementary user entity controls (CUECs) descriptions
  • Document significant incidents and system changes during examination period
  • Review description for accuracy and completeness with operational teams

Control framework development

  • Design controls to address each applicable Trust Services Criteria
  • Map controls to specific criteria points of focus (2022 revised version)
  • Document control descriptions, frequencies, and responsible parties
  • Establish control testing procedures and evidence requirements
  • Create control matrices linking objectives to specific control activities
  • Validate control design through walkthrough procedures

Evidence and documentation management

  • Implement automated evidence collection for cloud and SaaS controls
  • Establish document retention and version control procedures
  • Create evidence repositories organized by control objective
  • Test evidence collection processes before examination period begins
  • Train staff on evidence gathering and documentation requirements
  • Establish backup procedures for critical evidence sources

Management assertions and representations

  • Prepare written management assertion for assertion-based examinations
  • Use AICPA illustrative management representation letters as templates
  • Document management's responsibility for system description accuracy
  • Confirm management's assertion regarding control design and operating effectiveness
  • Review assertion language with legal and executive teams
  • Establish sign-off procedures for management representations

Operational readiness

  • Train personnel responsible for control execution and monitoring
  • Implement change management procedures affecting control environment
  • Establish incident response and documentation procedures
  • Create monitoring and measurement processes for ongoing control effectiveness
  • Test business continuity and disaster recovery procedures if applicable
  • Prepare for examiner interviews and information requests

Final examination preparation

  • Conduct internal readiness assessment or pre-audit
  • Remediate identified control deficiencies before examination begins
  • Finalize system description and obtain management approval
  • Organize evidence files for efficient auditor access
  • Coordinate examination scheduling with operational teams
  • Establish communication protocols with examination team
  • Plan for post-examination remediation and annual renewal processes

FAQs

Q: What exactly is an SSAE 18 audit and how does it work?

A: SSAE 18 audits are independent examinations conducted under the American Institute of CPAs' attestation standards to provide third-party assurance over your organization's internal controls. They work by having a qualified CPA firm evaluate whether your controls are appropriately designed and operating effectively, resulting in either SOC 1 reports (focused on controls relevant to financial reporting) or SOC 2 reports (covering security, availability, processing integrity, confidentiality, and privacy). The examination involves extensive evidence gathering, control testing over specified periods, and detailed reporting that demonstrates control effectiveness to customers, partners, and regulatory stakeholders.

Q: How much time can automation save in the SSAE 18 audit process?

A: Modern automation platforms can significantly streamline evidence collection by integrating with cloud platforms, identity providers, and development tools like AWS, Azure, Okta, and GitHub through API connections. This enables continuous control monitoring and reduces manual evidence gathering tasks that traditionally required weeks of preparation. However, automation platforms complement but don't replace the auditor's independent testing procedures - they help you maintain audit-ready evidence throughout the year rather than scrambling to collect documentation during the examination period, ultimately reducing the operational burden of annual renewals.

Q: How do SSAE 18 audits handle integration with existing systems and data management?

A: SSAE 18 audits address system complexity through comprehensive system descriptions that document all relevant components, data flows, and third-party integrations. For subservice organizations like cloud providers and software vendors, you can choose between inclusive approaches (where you test your monitoring of these providers) or carve-out approaches (where their controls are excluded but clearly documented). The framework requires explicit documentation of Complementary User Entity Controls (CUECs) and Complementary Subservice Organization Controls (CSOCs), ensuring clear boundaries around which controls you perform directly versus those you rely on external providers to execute.

Q: What are the limitations of SSAE 18 audits and where is human oversight still critical?

A: SSAE 18 audits are attestation reports with a CPA's opinion, not certifications, and they're intended for restricted use rather than public marketing. Human judgment remains essential in areas like defining appropriate scope boundaries, selecting relevant Trust Services Criteria categories based on actual service commitments, interpreting control exceptions and their business impact, and making risk-based decisions about complementary controls from subservice organizations. Additionally, while automation can collect evidence, auditors must still apply professional judgment to determine whether that evidence is sufficient and appropriate to support their opinion.

Q: What should organizations evaluate when selecting an SSAE 18 audit approach?

A: Key evaluation criteria include choosing between SOC 1 (for controls affecting financial reporting) versus SOC 2 (for broader operational and security concerns) based on stakeholder needs, selecting Type 1 (design evaluation at a point in time) versus Type 2 (design and operating effectiveness over 3-12 months) based on customer expectations, and defining scope to include only relevant Trust Services Criteria categories that align with your actual service commitments. Organizations should also assess their CPA firm's relevant industry experience, plan for 6-12 months of preparation time for first-time Type 2 examinations, and budget for both direct audit fees and internal resources needed for ongoing evidence collection and control maintenance.