SSAE 18

What is SSAE 18 Compliance?

Statement on Standards for Attestation Engagements no. 18 (SSAE 18), is an auditing standard for service organizations. It is required by many industries and organization for vendors that provide them services. The examinations and audits of these Standards are known as SOC reports.

Even for industries that are not heavily regulated, SOC reports became standard for vendor management and vendor risk assessments. SOC reports may also be used as a marketing tool, objectively attesting that the organization follows financial, cybersecurity, and privacy guidelines.

SSAE 18 superseded SSAE 16. SOC superseded SAS 70.

What’s the different between a SOC1, SOC2 & SOC3 Audit?

Service Organization Control (SOC) audits test that the company has the right controls in place. These audits come in 3 categories:

SOC 1 – Controls over financial reporting. This is most relevant for organizations that provide financial services, such as payroll, banking, investments, capital management, etc.

SOC 2  – focuses on information security, privacy, integrity, confidentiality, addressing both cybersecurity and business process controls. The list of controls usually follow a selected framework, taking into account additional requirements from partnering businesses.

SOC 3 – usually overlaps with SOC on the list of audited controls, but not limited in distribution and usually publicly presented. This may become a powerful marketing tool, posted freely on a website, to provide comfort for clients and partners.

In addition, the SOC audits come in 2 types:

  • Type I – a report that audits the state of company controls on the audit date
  • Type II – a report that audits the state of the controls over time, usually over the last 12 months. This provides more assurance, stating the controls were effectively in place for the whole time.

The right category and type of a SOC report depends on the industries you serve, the services you provide, and the specific need for the report.

How can GoldSky Security support your SSAE 18 compliance needs?

GoldSky works with service organizations in need of SSAE 18 reports: SOC 1, SOC 2, SOC 3, type I, and type II.

GoldSky examines the controls and their effectiveness, consults on identified deficiencies and potential improvements (gap analysis).

GoldSky collects the evidence of controls in place, and delivers formal reports and opinions on the state of controls. These are the SOC reports that can be used as part of RFPs, audits, or marketing efforts.

GoldSky Security offices in Orlando, Denver, Tampa, Nashville, Washington D.C, Phoenix and can help support your SOC 1, SOC2 or SOC3 audits?

How can GoldSky Security help you?

Contact GoldSky Security today for a Free Consultation.

GoldSky Newsletter

Sign up below to receive the latest news and security updates from GoldSky Security.

“We could not be more pleased with our partnership with GoldSky Security. The experience and professionalism from your team has exceeded our expectations from day one. Your team was on-site within a week of our initial call. We appreciate the responsiveness and expertise you provided in performing our NIST 800-171 Gap Assessment and now CSOaaS program. Having an On-Demand CSO partner to assist us in building a sound cybersecurity program while maintaining NIST 800-171 compliance has proven to be both efficient and cost-effective. Thanks!”

Ed Gillcrist
Founder, The Shackleton Group

Does Your Business Need to be SSAE 18 Compliant?