Testing according to American standard

Reporting on Controls at a Service Organization / US American auditing standard

Statements on Standards for Attestation Engagements (SSAE 18), Reporting on Controls at a Service Organization, is the American auditing standard for auditing the ICS of outsourcing service providers.

The basis of an audit in accordance with SSAE 18 comprises the description of the service-related ICS and the management assessment. As part of the management assessment, management provides a statement that the ICS is adequately presented or rather that the internal controls were implemented during the audit period and, in the case of a type II audit, were effective in achieving the predefined control objectives. A description of the ICS by the company to be audited is an essential part of the reporting.


30 minutes free consultation

Are you interested in our certification?
Get in touch with us without obligation.
We will be happy to advise you.


A SSAE 18 audit can include two dimensions

  • Typ 1

    Assessing the adequacy and design of controls at a predetermined point in time without making a statement about their effectiveness.

  • Typ 2

    In addition to Type I, an assessment of the effectiveness of the established controls of the ICS is carried out within a predefined audit period.

Benefits of SSAE 18 certification:

  • Proof of the appropriateness and, if applicable, effectiveness of the service-related ICS

  • Assessment of business risks through outsourcing of operational processes

  • Reporting on the ICS of the service company

  • Quality feature compared to non-certified companies

  • Marketing instrument for maintaining and expanding the customer base

A possible project flow is shown in the following workflow.
(Click to enlarge image)