Skip to content
Ever Works

SSAE 18 (Statement on Standards for Attestation Engagements No. 18)

SSAE 18 is an attestation standard used for auditing and reporting on the controls of service organizations, such as cloud-based time tracking and attendance providers. Vendors that undergo SSAE 18/SOC examinations demonstrate that they maintain appropriate controls over security, availability, processing integrity, confidentiality, and privacy. For time tracking, choosing an SSAE 18-audited provider helps ensure that employee time data is securely stored, properly backed up, and reliably available, supporting compliance, auditability, and disaster recovery requirements.

Last updated: 2025-12-24 15:38

SSAE 18 (Statement on Standards for Attestation Engagements No. 18)

Category: Practices
Brand: AICPA
Tags: compliance, enterprise, privacy

Overview

SSAE 18 is a set of attestation and auditing standards issued by the American Institute of Certified Public Accountants (AICPA). It defines a common framework for independent auditors to examine and report on a service organization’s controls related to handling sensitive client data.

It is the foundational standard used for SOC (System and Organization Controls) examinations and reports (SOC 1, SOC 2, SOC 3).

Purpose

Features / Scope

Who It’s For (Typical Users / Applicable Organizations)

SSAE 18 is relevant for service organizations that process, store, or transmit sensitive data on behalf of others, including:

Essentially, any organization that offers services involving sensitive or regulated data can use SSAE 18-based SOC reports to demonstrate the design and effectiveness of their controls.

Related Standards / Reports

Pricing

Not applicable. SSAE 18 is a professional attestation standard, not a commercial product or service with defined pricing plans.

Related Items