Why “SSAE 18 vs SOC 2” Is Confusing (and Commonly Misstated)
The “SSAE 18 vs SOC 2” debate typically surfaces when buyers, vendors, and even internal teams are all talking about the same general assurance problem, but using the wrong labels.
A procurement team asks, “Do you have SSAE 18?” A founder says, “We’re going for SSAE 18 certification.” A customer security team asks for an “SSAE 18 SOC 2 report.” Everyone is circling the same planet, but not always landing on the right terminology.
SSAE 18 and SOC 2 are not competing things. They are related, but they are not interchangeable.
The AICPA defines SOC 2 as an examination and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SSAE 18, by contrast, is the attestation standard framework under which these kinds of engagements are performed.
That distinction matters because buyers often ask for the wrong artifact. If you answer the wrong question, you can waste months preparing the wrong report.
Quick Answer: SSAE 18 Is a Standard; SOC 2 Is a Report
The simplest accurate explanation is this: SSAE 18 is the professional attestation standard; SOC 2 is the report deliverable. The standard tells the auditor how to perform the engagement. The report is what your customers actually read.
The AICPA states that SSAE No. 18 was issued as part of its attestation clarity project, which clarified and recodified attestation standards. The same organization also explains that SOC reports are part of the AICPA’s broader SOC suite of services used to communicate controls at service organizations.
So when someone says, “We need SSAE 18,” what they usually mean is one of two things: either they want a SOC 1 report for financial-reporting-related controls, or they want a SOC 2 report for security and broader system controls.
How SSAE 18 Relates to SOC 1, SOC 2, and SOC 3
SOC 1 addresses controls at a service organization that are relevant to a user entity’s internal control over financial reporting. The AICPA positions SOC 1 specifically for management of user entities and their financial statement auditors.
SOC 2 addresses controls relevant to the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. It is designed for customers and other specified users who need detailed information about system controls.
SOC 3 covers the same trust services subject matter as SOC 2, but in a general-use format with less detail, so it can be freely distributed. (Think of it as the marketing-friendly version.)
In plain English: SSAE 18 sits underneath the engagement methodology; SOC 1, SOC 2, and SOC 3 are the reporting formats and scopes that come out of it.
What Is SSAE 18?
SSAE 18 stands for Statement on Standards for Attestation Engagements No. 18. It is an AICPA-issued attestation standard used in examinations, reviews, and agreed-upon procedures for nonissuers. The AICPA describes SSAEs as applicable to the preparation and issuance of attestation reports for nonissuers, and specifically notes that SSAE No. 18 completed the attestation clarity project through clarification and recodification.
Who Issues SSAE 18 and Who Performs the Engagement
The AICPA Auditing Standards Board (ASB) issues SSAE standards. The actual engagement, however, is performed by an independent CPA firm or service auditor. That division of labor is important. Your company does not “self-issue” SSAE 18. A CPA firm performs an attestation engagement under that standard and then issues the related report.
What SSAE 18 Replaced (SSAE 16 / SAS 70 Context)
Historically, the service-organization reporting world moved from SAS 70 to SSAE 16, and then to SSAE 18. The AICPA’s clarity and convergence work eliminated the old SAS 70 framing, established the SOC-branded reports, and recodified the underlying attestation standards into SSAE 18. The standard was introduced in 2016 and implemented in 2017 as part of this evolution. (For international context, SSAE 18’s closest equivalent is ISAE 3402, issued by the International Auditing and Assurance Standards Board.)
That is why older buyers may still talk in legacy language. They remember SAS 70. Mid-generation buyers remember SSAE 16. Today’s market usually asks for SOC 1 or SOC 2, but sometimes with yesterday’s vocabulary still attached.
Which Engagements Fall Under SSAE 18
Within the SOC context, SSAE 18 governs how the practitioner performs examinations that lead to reports such as SOC 1, SOC 2, and SOC 3. The AICPA’s SOC suite overview frames these offerings as assurance reports used to help assess and address outsourcing risk.
What Is a SOC 2 Report?
A SOC 2 report is an independent attestation report on controls at a service organization relevant to the Trust Services Criteria. The AICPA defines SOC 2 around the five criteria categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 exists because businesses increasingly outsource critical systems to cloud and SaaS providers, and they want a way to evaluate whether those providers have appropriate controls in place. We’ve written an in-depth guide on what SOC 2 is, which you can read here.
What SOC 2 Evaluates (Controls Aligned to Trust Services Criteria)
SOC 2 evaluates whether the service organization’s system and controls are suitably designed—and, in a Type 2 engagement, whether they operated effectively over a review period—against the applicable TSC. Security is always part of SOC 2, while Availability, Processing Integrity, Confidentiality, and Privacy are included based on the nature of the service and customer commitments.
If you’re unsure which criteria apply to your organization, a gap analysis is a smart first step.
SSAE 18 vs SOC 2: Side-by-Side Comparison
Â
Category | SSAE 18 | SOC 2 |
What it is | Attestation standard | Report deliverable |
Issued by | AICPA Auditing Standards Board | Independent CPA firm (after the engagement) |
Primary purpose | Governs how the engagement is performed | Communicates results about controls relevant to TSC |
Scope | Broad attestation framework | Security and system controls at a service organization |
Main users | Auditors and firms performing the work | Customers, prospects, procurement, security reviewers |
Output | Professional standard / methodology | Management assertion, system description, testing, opinion |
Distribution | Not the deliverable buyers request | Restricted-use report in most cases |
Standard vs Report Deliverable
This is the big one. SSAE 18 is not something you hand to a customer. A customer asks for the report, not the standard. If someone on your team is confused about this, that’s normal—and it’s worth correcting early.
Scope: Financial Reporting (SOC 1) vs Security/Compliance Controls (SOC 2)
SOC 1 and SOC 2 both live in the same general family, but they solve different problems. The AICPA states that SOC 1 is about controls relevant to financial reporting, while SOC 2 addresses the TSC categories tied to system security and reliability. Understanding this distinction is fundamental—if you’re also weighing other frameworks, the comparison between ISO 27001 and SOC 2 is worth reading.
Where “SSAE 18” Shows Up in a SOC 2 Report (What to Look For)
Auditor’s Report Section and Applicable Professional Standards
The report will identify the professional standards under which the examination was performed. In practical terms, this is where the “SSAE” connection shows up most clearly—you’ll see a reference to the applicable AT-C sections that originate from SSAE 18.
System Description Boundaries
A SOC 2 report includes a system description outlining the services, boundaries, infrastructure, software, people, procedures, and data relevant to the examination. Reading this section carefully is essential—it tells you exactly what is (and isn’t) covered by the report.
Subservice Organizations (Carve-Out vs Inclusive Method)
This is where many teams get surprised. If you rely on a cloud host, colocation provider, or other third party, the report needs to explain how those subservice organizations are handled. SSAE 18 places stronger emphasis on monitoring subservice organizations and on describing whether they are included in the scope of the examination or carved out.
Inclusive method: The subservice organization’s controls are tested as part of the engagement.
Carve-out method: The subservice organization’s controls are excluded, and the report states that the user entity should obtain and review the subservice organization’s own SOC report.
Complementary User Entity Controls (CUECs) and Why They Matter
CUECs are the controls the user entity is expected to implement for the overall control environment to work as intended. If the provider’s controls assume the customer will manage IAM, encryption choices, backups, or log review, those assumptions are documented here.
For organizations implementing continuous monitoring for SOC 2, understanding CUECs is essential because many of these complementary controls need ongoing attention, not just a one-time setup.
Common Misconceptions (and the Correct Terminology)
“SSAE 18 Certification” vs “SOC 2 Report”
There is no formal thing called “SSAE 18 certification.” The more accurate language is that a company has obtained a SOC 2 report resulting from an examination performed under the applicable attestation standards. The AICPA does not issue certifications—it publishes the standards that CPA firms use to perform and report on engagements.
“SSAE 18 SOC 2” as Shorthand vs Formal Naming
People say it. Search engines love it. Procurement spreadsheets keep it alive. But formally, the better phrasing is simply “SOC 2 report” or “SOC 2 Type 2 report.”
“SOC 2 Compliant” vs Having an Issued SOC 2 Report
This phrase is common, but slippery. “SOC 2 compliant” can mean almost anything—from “we follow the spirit of the criteria” to “our report is in progress.” The stronger, more credible statement is: “We have an issued SOC 2 report.” That tells the buyer there is a real deliverable from a real CPA firm, not just an internal claim.
Which One Do You Need?
If a customer asks for “SSAE 18,” do not answer too quickly. Ask what they want to evaluate.
-
If they care about your impact on their financial reporting, they likely want SOC 1.
-
If they care about your security controls, availability commitments, or handling of sensitive information, they likely want SOC 2.
If customers ask for SOC 2, Type 2 is usually what they really expect once you are selling into mid-market or enterprise accounts, because that is the version showing operating effectiveness over time.
If you process transactions that affect customer financial statements, SOC 1 may be necessary—and SOC 2 may still be useful if security teams are also reviewing you.
Do You Ever Need Both SOC 1 and SOC 2?
Yes, absolutely.
Typical Scenarios for Dual Reporting
Organizations in payroll, payments, claims processing, benefits administration, and some fintech categories often need both. Finance wants SOC 1. Security and procurement want SOC 2.
How to Reduce Overlap
The efficient path is not running two totally separate universes. Smart teams align control narratives, evidence collection, and testing calendars where possible. Shared controls around access, change management, monitoring, and vendor management can support both engagements, even though the report objectives differ.
If you’re weighing compliance tooling to manage that workload, our comparison of Drata vs Vanta is a good starting point.
How to Choose the Right Path: A Practical Decision Framework
-
Start with your services and system boundaries. What do you actually do? What systems are in scope? Which data do you touch?
-
Identify customer and regulatory requirements. What are buyers asking for in security reviews, MSAs, and procurement portals?
-
Select the applicable Trust Services Criteria categories for SOC 2. Security is mandatory; the other categories depend on your commitments and risk profile.
-
Decide Type 1 vs Type 2 based on your sales motion and buyer expectations. Early-stage companies sometimes begin with Type 1 to accelerate initial deals, then move to Type 2. More mature B2B SaaS companies are increasingly expected to present Type 2.
Not sure where you stand? A gap analysis can clarify whether you need SOC 1, SOC 2, or a coordinated path to both. If you’d like to talk it through, click here to get in touch.
FAQ: SSAE 18 vs SOC 2
Is SSAE 18 the same as SOC 2?
Is SSAE 18 a SOC report?
Does SSAE 18 apply to SOC 2 Type 2?
What's the difference between SOC 1 and SOC 2 under SSAE 18?
Which is better for SaaS vendors: SSAE 18 or SOC 2?
Can I say I'm "SSAE 18 certified" if I have a SOC 2?
Final Thoughts
The cleanest takeaway is this: SSAE 18 is the standard. SOC 2 is the report. Once you separate those ideas, the rest of the decision tree gets much easier.
If your buyers are asking for “SSAE 18,” clarify whether they really need SOC 1 or SOC 2. If you are a SaaS or cloud service organization, the answer is very often SOC 2 Type 2. If your services affect customer financial statements, you may need SOC 1, and in some cases both.
If you are planning your next move, now is the right time to book a SOC readiness assessment, request an audit scoping review, or a gap analysis so you can confirm whether you need SOC 1, SOC 2, or a coordinated path to both.
