Delivering expert cyber security solutions to small and medium-sized businesses

Learn More


What is SSAE 18 Compliance?

Statement on Standards for Attestation Engagements no. 18 (SSAE 18), is an auditing standard for service organizations. It is required by many industries and organization for vendors that provide them services. The examinations and audits of these Standards are known as SOC reports.

Even for industries that are not heavily regulated, SOC reports became standard for vendor management and vendor risk assessments. SOC reports may also be used as a marketing tool, objectively attesting that the organization follows financial, cybersecurity, and privacy guidelines.

SSAE 18 superseded SSAE 16. SOC superseded SAS 70.

What’s the different between a SOC1, SOC2 & SOC3 Audit?

Service Organization Control (SOC) audits test that the company has the right controls in place. These audits come in 3 categories:

SOC 1 – Controls over financial reporting. This is most relevant for organizations that provide financial services, such as payroll, banking, investments, capital management, etc.

SOC 2  – focuses on information security, privacy, integrity, confidentiality, addressing both cybersecurity and business process controls. The list of controls usually follow a selected framework, taking into account additional requirements from partnering businesses.

SOC 3 – usually overlaps with SOC on the list of audited controls, but not limited in distribution and usually publicly presented. This may become a powerful marketing tool, posted freely on a website, to provide comfort for clients and partners.

In addition, the SOC audits come in 2 types:

  • Type I – a report that audits the state of company controls on the audit date
  • Type II – a report that audits the state of the controls over time, usually over the last 12 months. This provides more assurance, stating the controls were effectively in place for the whole time.

The right category and type of a SOC report depends on the industries you serve, the services you provide, and the specific need for the report.

How can GoldSky Security support your SSAE 18 compliance needs?

GoldSky works with service organizations in need of SSAE 18 reports: SOC 1, SOC 2, SOC 3, type I, and type II.

GoldSky examines the controls and their effectiveness, consults on identified deficiencies and potential improvements (gap analysis).

GoldSky Security offices in Orlando, Denver, Tampa, Nashville, Washington D.C, Phoenix and can help support your SOC 1, SOC2 or SOC3 audits?

How can GoldSky Security help you?

Contact GoldSky Security today for a Free Consultation.