Tel No. (+91) 98440 42424

SSAE 18 - SOC 1


For several years, SOC 1 and SSAE 16 were synonymous. On May 1, 2017, this association ends. As a result, a SOC 1 report will only be referred to as a SOC 1, and the SSAE 18 guidance formalizes this. The most significant changes in SSAE 18 may slightly impact Service Organizations with the addition of new controls and report enhancements, but, it will have the benefit of providing additional assurance to User Organizations.

SSAE 18 builds upon and supersedes the SSAE 16, therefore, if you are a Service Organization future reports should be issued as a SOC 1 Report under the SSAE 18 guidance, while, if you are a User Organization and currently request an SSAE 16/SOC 1 Report from your vendors, after May 1, you should simply request the company’s latest SOC 1 Report.


The SSAE 18 guidance primarily clarifies existing auditing standards. It is also intended to reduce instances of duplication within similar standards that cover Examinations, Reviews and Agreed Upon Procedure engagements. As of May 1, these engagements – specifically, SSAE nos. 10-17 – will fall under the SSAE 18.

Additionally, the SSAE 18 requires the inclusion of defined Complementary Subservice Organization Controls when applicable (see below for a definition of Complementary Subservice Organization Controls). This is intended to provide clarity with regard to how Service Organizations address their own third-party vendor management obligations (which are considered fourth-party relationships to User Organizations). These fourth-party relationships and control responsibilities were not always clearly defined in prior SOC reports, leaving a potential gap in understanding the complete risk profile of an organization.

SSAE 18 appearing

As stated above, the official effective date by which the SSAE 16 can no longer be issued is May 1, 2017. Experts expect many vendors to begin providing SSAE 18s sometime between the middle to late part of 2017.

Notable updates to SOC 1 Reports

There are two updates in particular worth mentioning:

Requirement of Risk Assessments. The SOC 2 already suggests the inclusion of a Risk Assessment. This guidance will formalize the need across the board to help ensure that an organization’s controls are regularly reviewed, adequately address its risks, and are adjusted as needed.

Creation of the Complementary Subservice Organization Controls section. These clarify whether a Service Organization uses a third-party vendor or internal business unit that is critical to the delivery of products or services that fall outside the scope of the audit. In other words, if you utilize a third-party for a particular service, their responsibilities as they relate to the outsourced control activities would need to be defined in the report.

This provides a clear delineation of responsibility. These were typically part of a SOC 2 report, now, their inclusion are being formalized as a requirement under both SOC 1 and SOC 2.


The AICPA definition is as follows: “Controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives stated in management’s description of the service organization’s system.”


Service Organisation Controls (SOC) 1 aims to protect the interest of the user entity while receiving services from the service organisation. Upon implementation of the framework, it is a demonstration of internal control over financial reporting (ICFR). We have a 6-phase Methodology, to help you achieve successful SOC 1 compliance.


Service Organisation Controls (SOC 1) is aimed at assuring a user entity that there are adequate controls over financial reporting (IFCR).

Project Phases

We have a structured approach to determine the applicable list of risks and controls that are required to achieve SOC 1 attestation. Our 6-phase approach ensures that the service organisation has adequate ‘internal controls’ to assure any Certified Public Accountant (CPA) for issuance of SSAE 18 in USA, and professional accountant in public practice for issuance of ISAE 3402, globally.

Phase I – Determination of Objectives

This phase involves determining key business objectives, from user entity, as well as of the service organisation.

Phase II – Gap Analysis

This phase involves performing gap analysis of the above listed objectives on one hand, and the applicable SOC 1 controls and risks, on the other. We provide solution for all identified gaps.

Phase III – Control Design and documentation

This phase involves our methodology that involves distribution of risks, and control responsibility to internal stakeholders. This also includes nomination of key roles such as risk officer – who will drive the ongoing compliance.

Phase IV – Tracking

This phase involves tracking the client risks, documentation and self-compliance on a weekly basis till all internal controls are adequately implemented.

Phase V – Performance Tracking

This phase involves measuring internal control changes on a scale of 0-100%. This gives assurance to internal stakeholders that the processes implemented are adequate (or at risk). If there are deviations or risks identified, they are treated.

Phase VI – Internal Audit

Internal audit followed by a formal review of the program gives organisation an independent perspective, and enables them to be ready for final attestation.

At this stage the client has implemented the governance system in completeness. Generally upon completion of one month of this, the organisation can achieve SOC 1 – Type 1 attestation, and upon completion of 6 months, the client can achieve Type 2 attestation. Here the assumption that all risks are under control that will give adequate assurance to the user entity.

ISAE 3402

Attestation standard used by global professional accountants to attest SOC 1 controls.


Attestation standard used by US based CPAs to attest SOC 1.