SSAE 16 vs. SSAE 18: what changed (and what it means for SOC reports)
SSAE 16 vs. SSAE 18: what changed (and what it means for SOC reports)
As your company grows, it’s normal to encounter a tangle of acronyms—SSAE 16, SSAE 18, SOC 1, SOC 2—often in customer security reviews, auditor conversations, or procurement questionnaires.
The short version: when comparing SSAE 16 vs. SSAE 18, you’re really asking which AICPA attestation standard underpins modern SOC reporting, and what expectations have evolved as more business-critical systems moved to the cloud.
This guide covers:
- What SSAE 16 and SSAE 18 are (in plain English)
- The practical differences between SSAE 16 vs SSAE 18 (and why SSAE 18 is the modern baseline)
- How the change affects SOC 1 and SOC 2 reports
- What to do if you’re preparing for a SOC 2 audit
GIF via GIPHY
Related guides:
- How long does a SOC 2 audit really take?
- SOC 2 readiness assessment: your essential guide to compliance excellence
- Automated SOC 2 compliance: the shortcut every SaaS company needs
- Why SOC 2 is the most accepted security framework
- Your guide to SOC 2 audits
Key takeaways
- SSAE standards are “how auditors do attestation work,” not the report itself. SOC reports are issued under an attestation standard; SSAE 18 is the modern baseline in the U.S.
- SSAE 18 replaced SSAE 16. SSAE 16 was widely used historically (especially in SOC 1 contexts), but SSAE 18 is the current, more comprehensive standard.
- SOC 2 is about your trust controls; SSAE is about the audit engagement standard. Many buyers say “SOC 2 audit,” but the SOC 2 report is produced under an attestation framework (commonly SSAE 18 in the U.S.).
- For most teams, the “what do I do?” answer is operational. Clear scope, assigned control owners, repeatable evidence collection, and a clean audit trail matter more than memorizing the acronyms.
SSAE 16 vs. SSAE 18 (quick comparison)
Use this table when someone asks, “Wait—what’s the difference between SSAE 16 vs SSAE 18?”
| Topic | SSAE 16 | SSAE 18 |
|---|---|---|
| Full name | Statement on Standards for Attestation Engagements No. 16 | Statement on Standards for Attestation Engagements No. 18 |
| Status | Largely superseded | Current baseline standard (commonly referenced) |
| Who sets it | AICPA | AICPA |
| Where you’ll hear it | Older SOC terminology and legacy vendor documentation | Modern SOC reporting conversations (SOC 1 / SOC 2 / SOC 3) |
| Practical takeaway | You may still see the term, but it’s not the modern standard | Use as the default reference when discussing attestation standards for SOC reports |
What is SSAE 16?
SSAE 16 stands for Statement on Standards for Attestation Engagements #16.
In practice, SSAE 16 is a set of auditing standards established by the AICPA to guide how auditors perform certain attestation engagements—you’ll often see it associated with SOC 1 reporting in older materials.
Today, SSAE 16 is commonly discussed because it was widely adopted—and then later replaced—so it still shows up in templates, older customer questionnaires, or vendor pages that haven’t been refreshed.
What is SSAE 18?
SSAE 18 stands for Statement on Standards for Attestation Engagements #18.
It is the modern AICPA attestation standard that consolidated and updated prior guidance. Many SOC engagements today are performed under SSAE 18 (and you’ll often see it cited in the context of SOC 2 and SOC 3 reporting).
If you’re preparing for a SOC 2 report in the U.S., SSAE 18 is the attestation standard you’ll most commonly hear.
Why did SSAE 18 replace SSAE 16?
The business context changed.
Cloud infrastructure, outsourced processing, and third-party services became core to how companies operate—and those shifts increased the need for attestation standards that better reflect modern control environments and third-party risk realities.
When you zoom out, the SSAE 16 → SSAE 18 transition reflects an industry trend: companies can move faster than ever, but the security and reliability expectations from customers (and their auditors) have to keep up.
How this affects SOC 1 and SOC 2 reports
SSAE standards shape how the engagement is conducted, while SOC reports describe what was tested and what the auditor concluded.
Here’s the practical mapping most teams need:
| You need… | Typical report | Typical attestation standard reference | Common “buyer language” |
|---|---|---|---|
| Controls relevant to financial reporting at a service org | SOC 1 | SSAE 18 (modern), SSAE 16 (legacy references) | “SOC 1 for auditors / finance” |
| Controls aligned to the Trust Services Criteria (security, availability, etc.) | SOC 2 | SSAE 18 (commonly referenced in U.S. contexts) | “SOC 2 for customers” |
If you’re a SaaS company selling to enterprises, SOC 2 is usually the report customers ask for. SSAE 18 is the attestation standard that commonly underpins how that SOC engagement is performed (exact scoping and engagement details depend on your CPA firm).
What to do in practice (for fast-growing teams)
If you’re reading this because you’re staring down a SOC 2 timeline, treat SSAE terms as context—not the main project.
Focus on the work that moves audit readiness forward:
- Define scope early: products, systems, and entities in-scope.
- Choose Trust Services Criteria intentionally: Security is required; adding other criteria increases evidence expectations.
- Assign owners and cadence: every control needs an accountable owner and a real operating rhythm.
- Make evidence repeatable: aim for evidence that’s generated or exported consistently, with timestamps and an audit trail.
- Run a readiness pass: even a lightweight readiness assessment typically prevents weeks of late-cycle rework.
Looking to automate SOC 2 audit prep?
SOC 2 prep becomes painful when evidence is scattered across tools, owners, and folders—especially once you have multiple environments, a growing vendor list, and more customers asking for proof.
SecureSlate helps teams reduce audit drag by centralizing controls, ownership, and evidence—and by making recurring workflows (like access reviews and policy acknowledgements) easier to run on schedule.
- If you want to see what “audit-ready” looks like in practice, request a demo.
- If you prefer to explore hands-on, you can also start a trial.
Frequently asked questions
Is SSAE 16 still used?
You may still see SSAE 16 referenced in older documentation, but SSAE 18 is the modern standard that replaced it in many contexts. For any live engagement, confirm the applicable standards with your CPA firm.
Is SSAE 18 required for SOC 2?
SOC 2 reports are conducted under an attestation standard; in U.S. contexts, SSAE 18 is commonly referenced. The exact engagement framework and reporting details depend on your auditor and the type of report you’re pursuing.
What’s the difference between SSAE and SOC?
SSAE refers to AICPA attestation standards that guide how the engagement is performed. SOC refers to the resulting report type (SOC 1, SOC 2, SOC 3) and what the report covers.
Disclaimer (legal note)
This article is for general informational purposes and is not legal or audit advice. Attestation standards and reporting requirements depend on your circumstances and your CPA firm’s professional judgment. For formal guidance, work with a licensed CPA firm and qualified counsel.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
May 4, 2026 · SOC 2
5 ways to turn SOC 2 compliance into a growth strategy
SecureSlate Team
May 4, 2026 · SOC 2Comparisons and reviews
The best SOC 2 compliance software for 2026
SecureSlate Team
May 4, 2026 · SOC 2Guides
How much does a SOC 2 audit cost? A practical 2026 budget (time + money)
SecureSlate Team