A message lands in your inbox. It is a security questionnaire from a prospect. Line four asks if you are "SSAE 18 SOC 2 Type 2 certified."
You pause. You search the term. You land on five different blog posts that each explain half the picture, and none of them speaks your language.
Here is the uncomfortable truth. The global average cost of a data breach hit $4.44 million in 2025. That number is why every enterprise buyer now demands proof of security before signing a contract.
This guide clears up your confusion. You will learn what SSAE 18 actually is, what SOC 2 actually is, and what your prospect is really asking for.
If you’re short on time, here’s a quick version.
Let’s get into the details now.
What Is SSAE 18? (The Standard, Not the Report)
SSAE 18 stands for Statement on Standards for Attestation Engagements No. 18. Think of it as a rulebook. It tells auditors exactly how to check a company's controls.
It is not a certificate. It is not a badge. It is not something your company can "pass" or "fail" on its own. It simply tells a licensed CPA firm how to run an audit properly.
The AICPA published SSAE 18 in April 2016. It became the required standard on May 1, 2017. Before that date, auditors followed an older rulebook called SSAE 16.
SSAE 18 sits inside a bigger family of attestation sections known as AT-C sections. Section 105 covers general rules. Section 205 covers audits. Section 320 covers financial reporting audits, which is the base for SOC 1 reports.
Picture SSAE 18 as the referee's rulebook in a football match. The referee follows the rulebook. The match itself, with its final score, is the report you get at the end. SSAE 18 is the rulebook. SOC 2 is the scoreboard.

Once you separate the rulebook from the scoreboard, the rest of this topic gets much easier to follow.
SSAE 18 vs SSAE 16: What Actually Changed?
SSAE 16 was the old rulebook. It started in 2011 and stayed active until SSAE 18 replaced it in 2017. Many older blog posts and vendor pages still reference SSAE 16 by mistake.
Two things changed. First, auditors now require a formal, written risk assessment from your leadership team. You cannot just say your risks are handled. You must document them.
Second, SSAE 18 added stricter rules around vendors. If you use AWS, Stripe, or any outside tool, your auditor now checks how closely you watch those vendors too.
Founder's tip!
If your product depends on three or more outside vendors, expect your auditor to ask detailed questions about each one. Keep a simple vendor list ready before the audit starts.
That vendor rule is a big reason SSAE 18 exists at all. Now that the standard makes sense, the next question is the one that trips up almost everyone: is SSAE 18 actually the same thing as SOC 2?
Is SSAE 18 the Same as SOC 2?
No, they are not the same thing. This single confusion causes more wasted time in procurement calls than almost anything else in compliance conversations.
SSAE 18 is the standard. SOC 2 is the report your auditor writes after following that standard. One is a rulebook. The other is a document you hand to your customer.
Here is a simple comparison. GAAP is the accounting rulebook. A financial statement is the document that follows those rules. SSAE 18 works the same way for SOC reports.
The phrase "SSAE 18 SOC 2" is informal shorthand. Buyers use it in vendor questionnaires. What they actually mean is: "a SOC 2 report, produced under SSAE 18 rules."
Did you know?
SSAE 18 governs SOC 1, SOC 2, and SOC 3 all at once. It is the umbrella standard sitting above every version of the SOC report family, not just SOC 2.
Once that difference clicks, the real question becomes practical. Which report does your specific client actually want, SOC 1 or SOC 2?
SOC 1 vs SOC 2: Which Report Does Your Client Want?
SOC 1 protects financial reporting. It answers one question: could an error in your systems mess up a client's financial statements? If yes, your client's finance team wants SOC 1.
SOC 2 protects data and operations. It answers a different question: are your systems secure, available, and handled responsibly? If yes, your client's security team wants SOC 2.
The two reports rarely overlap in purpose. Payroll processors and loan servicers usually need SOC 1. SaaS platforms and cloud tools almost always need SOC 2 instead.
What SOC 1 Actually Covers? (SSAE 18 AT-C 320)
SOC 1 sits under AT-C Section 320 of SSAE 18. Its full name is System and Organisation Controls for Internal Control over Financial Reporting.
It uses self-defined control goals, not a fixed checklist. Every company sets its own controls, and the auditor checks whether those controls actually work as claimed.
Companies that typically need SOC 1 include payroll processors, loan servicers, and claims processing platforms. The simple test is this: would a bug in your system show up on your client's balance sheet?
What SOC 2 Covers: The 5 Trust Services Criteria?
SOC 2 measures your company against five Trust Services Criteria, also called TSC. These criteria come from the AICPA and apply to nearly every SaaS company on earth.
Security is the only mandatory criterion. It is sometimes called the Common Criteria. Every SOC 2 report includes it, with no exceptions allowed.
The other four criteria are optional. You pick them based on what you promise your customers. Here is the full breakdown.
Why this matters?
Choosing the wrong criteria adds real cost. Most B2B SaaS companies handling business data should pick Confidentiality, not Privacy, since Privacy is built for companies dealing directly with individuals.
Who Needs SOC 1, SOC 2, or Both?
Some companies need both reports at once. Fintech platforms and payroll software are the classic example, since they touch financial data and customer data in the same product.
A payroll SaaS company runs payroll, which touches SOC 1 territory. It also stores employee records, which touches SOC 2 territory. That company likely needs both reports every year.
The fastest way to know which report you need is to ask your client directly. Their procurement or audit team usually knows exactly which one their internal policy requires.
Once you know which report fits your business, the next decision gets more specific. Do you go for a quick Type 1 report, or commit to the longer Type 2 process?
SOC 2 Type 1 vs Type 2: Which One to Pursue First
Type 1 and Type 2 both exist inside SOC 1 and SOC 2. They measure different things, so picking the right one changes your entire timeline.
Type 1 checks your controls on a single day. Type 2 checks whether those same controls actually worked, consistently, over several months. Enterprise buyers almost always expect Type 2.
Think of Type 1 as a photo. It shows your controls exist on one date. Type 2 is a video. It proves those controls kept running over an entire audit period.
Tip!
If you are under deal pressure right now, get Type 1 first to unblock the deal. Then commit to a Type 2 audit within the next 12 months to satisfy long-term buyer expectations.
SOC 1 Type 1 vs Type 2: The Same Logic Applies
SOC 1 follows the exact same pattern as SOC 2. Type 1 checks control design on one date. Type 2 checks operating effectiveness over an extended window.
Financial audit teams almost always want SOC 1 Type 2. A Type 1 report rarely satisfies a client's external financial auditors during their own SOX or year-end review process.
Type 1 is still useful as a starting point. New service organisations often begin here before moving into a full Type 2 observation cycle the following year.
Once you know which type fits your timeline, the next confusing phrase shows up almost immediately in every procurement email. Let's clear that one up too.
What "SSAE 18 SOC 2 Certification" Actually Means?
This phrase does not describe a real credential. No certificate exists with this name. You cannot frame it or hang it on your office wall.
What your client actually wants is a SOC 2 report, most likely Type 2, produced by a licensed CPA firm under SSAE 18 rules. That is the entire meaning behind the phrase.
The real deliverable is a document, not a badge. It contains your company's assertion, the auditor's opinion, a system description, and, for Type 2, detailed test results.

Did you know?
You cannot legally say "SSAE 18 certified" in a sales deck. The accurate phrase is: "we have a SOC 2 Type 2 report issued under SSAE 18 attestation standards."
Getting this phrasing right matters more than it seems. Saying it wrong on a security call can quietly signal to a buyer that your team does not fully understand your own compliance posture.
Now that the terminology is settled, there is one more layer most US-based guides skip entirely: what changes once your buyers sit outside the United States.
Going Global: ISAE 3402 and ISO 27001 Compared
SSAE 18 reports were built with US auditors in mind. Once your buyers sit in Europe, the Middle East, or Asia-Pacific, two new frameworks enter the conversation.
Those two frameworks are ISAE 3402 and ISO 27001. One replaces SOC 1 for global clients. The other complements or replaces SOC 2 depending on where your customer sits.
ISAE 3402 vs SOC 1: Same Job, Different Jurisdiction
ISAE 3402 is issued by the IAASB, an international standards body. It does the exact same job as SOC 1, but for clients outside the US.
Both frameworks come in Type 1 and Type 2 versions, using the same logic explained earlier in this guide. The only real difference is which regulator recognises the resulting report.
Some CPA firms can run one engagement that satisfies both SSAE 18 and ISAE 3402 at the same time. This saves time and money for companies serving both US and global clients.
SOC 2 vs ISO 27001: US Buyers vs Global Buyers
SOC 2 is an attestation report. ISO 27001 is a formal, public certificate. That single difference changes how each one gets used in sales conversations.
SOC 2 stays restricted and shared only under NDA. ISO 27001 produces a public certificate anyone can verify. US enterprise buyers lean toward SOC 2 first. Global buyers often ask for both.
A helpful comparison of the ISO 27001 checklist shows how the certification path differs structurally from a SOC 2 audit, even though both prove the same underlying idea: your security actually works.

Whichever path you follow, the two questions every founder eventually asks are the same. What will this cost, and how long will it actually take?
Cost, Timeline, and How to Get Your SOC 2 Report?
Cost and timeline depend heavily on scope. More Trust Services Criteria means more controls to prove, which means a longer audit and a bigger invoice from your auditor.
Auditor tier also matters. A well-known CPA firm often costs more than a smaller regional firm, but their report may carry more weight with sophisticated enterprise buyers.
That audit fee is only one line item. Most founders underestimate the full first year spend, since readiness work, tooling, and internal time all sit outside the auditor's invoice.
A realistic first year budget for SOC 2 Type 2 usually lands between $20,000 and $150,000 once you add readiness support, security tooling, and staff hours to the audit fee itself.
Read the full SOC 2 compliance cost & SOC 2 audit timeline for a line-by-line view of the cost and actual timeline of various stages of the SOC 2 audit.
Several factors push that number up or down. Here is what actually moves the needle on your final bill.
Note!
Adding Availability, Processing Integrity, Confidentiality, or Privacy on top of Security typically raises audit cost by 20 to 30 per cent, since each extra criterion means more controls for your auditor to sample and test.
The path to an issued report follows a predictable sequence, even though the exact pace varies by company.
Understanding each stage helps you plan around it instead of getting surprised midway through.
- It starts with scope definition, where you decide which systems, vendors, and criteria fall inside the audit boundary.
- A SOC 2 compliance checklist helps most teams organise this stage cleanly from day one.
- Next comes a readiness assessment, essentially a gap analysis against the Trust Services Criteria. This step reveals exactly which controls are missing before an auditor ever gets involved.
- Remediation follows, where your team builds the missing controls and starts producing evidence. For Type 2 engagements, this evidence then needs to run consistently through an observation period.
- The observation period is where Type 2 differs most from Type 1. Controls must operate for a minimum of three to six months, though most enterprise buyers expect a full twelve-month window.
- Once that window closes, auditor fieldwork begins. The CPA firm samples your evidence, interviews your team, and tests whether your controls actually worked as described throughout the period.
Founder's tip!
Renewal audits move much faster than your first one. Once controls already exist and evidence collection is automated, most renewal cycles wrap up in three to five months instead of a full year.
Why this matters: a lapsed report is treated the same as no report at all by most procurement teams. Planning your audit period around your biggest client's fiscal year-end keeps a fresh SOC 2 Type 2 report in hand exactly when renewal conversations start.
Cost and timeline are only half the picture. The bigger lever most founders miss is how fast a good compliance platform can compress the whole process from end to end.
How ComplyJet Cuts SOC 2 Preparation Time and Cost?
Manual SOC 2 prep usually means spreadsheets, screenshots, and endless Slack threads chasing evidence from engineering. Most teams lose months before the auditor even shows up.
ComplyJet automates that evidence collection directly from your existing tools. Controls map straight to the Trust Services Criteria, so nothing gets tracked twice across spreadsheets.
Instead of hiring a separate consultant, ComplyJet connects you to vetted CPA auditors as part of the platform. That single step alone removes weeks of vendor sourcing for most startups.
Precognition Labs removed enterprise security blockers and became audit-ready in under two weeks using ComplyJet.
See the customer story for the full breakdown of what changed.
If manual evidence gathering is what's slowing your team down, a best SOC 2 software comparison shows exactly how automation platforms stack up against doing it all by hand.
Speed and cost solve half the problem. The other half is simply speaking the right language once your report is finally in hand.
SSAE 18 and SOC 2 Terminology You Are Getting Wrong
Small phrasing mistakes cost real credibility during procurement calls. Here are the six most common terms founders get wrong, and the correct way to say each one.
"SSAE 18 certified" does not exist. Say "we have an issued SOC 2 Type 2 report" instead. No certificate exists under this name from the AICPA.
"SOC 2 compliant" is informal and vague. Say "we have a current SOC 2 Type 2 report" to sound precise and accurate in front of security reviewers.
"SSAE 18 and SOC 2 are the same" is false. SSAE 18 is the standard. SOC 2 is the report. They operate at completely different levels.
"SOC 1 is outdated" is also false. SOC 1 and SOC 2 serve entirely different audiences. Neither one replaces the other, no matter how new your company is.
Why this matters?
Enterprise security teams notice phrasing mistakes immediately. Getting this language right signals that your team actually understands its own compliance requirements, not just the marketing version.
With the terminology sorted, let's close out the confusing parts with quick, direct answers to the questions people ask most.
Frequently Asked Questions About SSAE 18 and SOC 2
Can a startup skip SOC 2 Type 1 and go straight to Type 2?
Yes. There is no rule requiring Type 1 first. Many companies go directly to Type 2 because that is what enterprise buyers expect from a serious vendor.
How long does a SOC 2 report stay valid?
Typically 12 months from the end of the audit period. The report does not officially expire, but buyers expect a fresh one after that window. Read the full SOC 2 report validity guide for the exact rules.
What is a subservice organisation?
Any outside vendor helping deliver your product, like AWS or a payment processor. SSAE 18 requires your report to explain how you monitor those vendors closely.
What is ISAE 3402, and when do I need it?
It is the international version of SOC 1, built for clients outside the United States. Global fintech and payroll companies often need it alongside SOC 1.
Can a company hold both a SOC 1 and SOC 2 report?
Yes, and many fintech and payroll companies do exactly that. Finance teams review the SOC 1. Security teams review the SOC 2 at the same time.
Who is qualified to issue a SOC 2 report?
Only a licensed CPA firm registered with the AICPA can issue one. Internal teams can prepare evidence, but the final attestation report must come from an independent auditor.
What happens if my audit finds control failures?
Your report gets a qualified opinion instead of a clean one. Most buyers still review it, but they will ask about your remediation plan before moving forward.
Conclusion
SSAE 18 is the standard. SOC 2 is the report it produces. That single distinction clears up almost every confusing sentence in a security questionnaire.

SOC 1 protects financial reporting. SOC 2 protects data and operations. Type 2 is what serious enterprise buyers actually expect to see before signing.
None of this is a one-time task. SOC 2 renews every year, and staying current is what keeps enterprise deals moving instead of stalling in legal review.


