🇺🇸 Live Medical Devices & Diagnostics

SSAE 18 — Attestation Standards: Clarification and Recodification

AICPA attestation standard governing examination, review, and agreed-upon procedures engagements including SOC 1 and SOC 2 reports. Applies to service auditors and service organisations.

9

Rules extracted

48

Obligations decomposed

5.3x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

What AuditDSS covers

Source

1

Regulation

Extracted

9

Rules

Decomposed

48

Obligations

5.3x

Decomposition ratio

Each rule is decomposed into an average of 5.3 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 48 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in SSAE 18 is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
SSAE 18 — Attestation Standards: Clarification and Recodification
Regulatory body
American Institute of Certified Public Accountants
Jurisdiction
🇺🇸 United States
Document type
standard
Effective date
May 1, 2017
Industry
Medical Devices & Diagnostics

Who this applies to

CPA firmsattestation practitionersservice organizationsservice auditorsuser entitiesmanagement of reporting entities

Key requirements

  • AT-C 105: Common concepts for all attestation engagements
  • AT-C 205: Examination engagement requirements (SOC 1/SOC 2)
  • AT-C 210: Review engagement requirements
  • AT-C 215: Agreed-upon procedures engagement requirements
  • AT-C 305: Prospective financial information
  • AT-C 310: Pro forma financial information
  • AT-C 315: Compliance attestation
  • AT-C 320: Controls at service organizations (SOC 1)
  • AT-C 395: Management discussion and analysis

Frequently asked questions about SSAE 18

What is SSAE 18?
AICPA attestation standard governing examination, review, and agreed-upon procedures engagements including SOC 1 and SOC 2 reports. Applies to service auditors and service organisations.

Who does SSAE 18 apply to?
SSAE 18 applies to CPA firms, attestation practitioners, service organizations, service auditors, user entities, management of reporting entities.

How many obligations does SSAE 18 contain?
AuditDSS has decomposed SSAE 18 into 48 atomic obligations from 9 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of SSAE 18?
The key requirements include: AT-C 105: Common concepts for all attestation engagements, AT-C 205: Examination engagement requirements (SOC 1/SOC 2), AT-C 210: Review engagement requirements, AT-C 215: Agreed-upon procedures engagement requirements, AT-C 305: Prospective financial information, AT-C 310: Pro forma financial information, AT-C 315: Compliance attestation, AT-C 320: Controls at service organizations (SOC 1), AT-C 395: Management discussion and analysis.

How can I assess my SSAE 18 compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 48 SSAE 18 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces SSAE 18?
SSAE 18 is enforced in United States by American Institute of Certified Public Accountants.

When did SSAE 18 come into effect?
SSAE 18 became effective on May 1, 2017.

What industry does SSAE 18 apply to?
SSAE 18 is primarily relevant to the Medical Devices & Diagnostics industry. AuditDSS covers 64 regulations in this industry sector.

Build a SSAE 18 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for SSAE 18 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering SSAE 18 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine SSAE 18 with other regulations into a single unified compliance pack for your business.

Build SSAE 18 compliance pack

Already have a policy? Assess it against SSAE 18

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 48 obligations

Your document is scored against every obligation in SSAE 18. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Medical Devices & Diagnostics

🇺🇸 Live

Anti-Kickback Statute

38 rules, 1,238 obligations
🇦🇺 Live

ACL

13 rules, 211 obligations
🇦🇺 Live

AU Climate Disclosure

10 rules, 52 obligations
🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

TGA Act 1989

13 rules, 199 obligations

Assess your SSAE 18 compliance

Upload your document and get a risk-scored gap analysis against 48 SSAE 18 obligations in under 5 minutes.

Start assessment Browse all regulations