Statement on Standards for Attestation Engagements No. 18, also known as SSAE 18, replaced SSAE 16. This standard is designed to provide assurance that third-party service organizations have effective internal controls related to the services they are providing. Outsourcing a service doesn’t absolve an organization of its risk management duties.
SSAE 18 covers three types of service organization control (SOC) reports to help entities evaluate weaknesses in their internal control program. SOC 1 deals primarily with financial reporting. SOC 2 and SOC 3 focus on security, processing integrity and privacy principles at the service organization—key areas of concern for any financial institution.