SSAE 18 / SSAE 21

SSAE 18 (now superseded by SSAE 21 for certain reports) is the AICPA attestation standard that governs how SOC 1 and SOC 2 audits are conducted by independent CPAs.

The audit standard behind SOC reports

SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the AICPA standard that defines how a CPA performs attestation engagements, including SOC 1 (financial reporting controls) and SOC 2 (Trust Services Criteria) reports. It replaced SSAE 16 in 2017 and consolidated multiple older standards. SSAE 21 (effective 2022) further refined the framework with clarifications around direct examination engagements. When a vendor's SOC 2 report says it was conducted "under SSAE 18" or "under AT-C 105 and AT-C 205," that is the procedural standard the auditor followed.

What changed from SAS 70

Older procurement teams sometimes still ask for "SAS 70 reports." SAS 70 was retired in 2011 and replaced by SSAE 16 (2011-2017), then SSAE 18 (2017-2022), then SSAE 21. The substantive change in SSAE 18 was stronger requirements around vendor management of sub-service organizations (carve-out vs. inclusive method) and complementary user entity controls. For AI vendors that rely on a hyperscaler (AWS, Azure, GCP), the SSAE 18 carve-out method is what lets the SOC 2 report exclude the hyperscaler's controls and reference its own SOC 2 instead.

Why it matters in vendor diligence

For most AI buyers, knowing the standard exists is enough. The diligence questions live in the SOC 2 report itself: scope, observation window, exceptions, complementary user entity controls (CUECs) that the buyer is responsible for implementing on its side, and the carve-out vs. inclusive treatment of sub-service organizations. If a vendor cannot produce a report citing AT-C 205 / SSAE 18 (or newer), the attestation is not a SOC 2 in the modern AICPA sense.