SSAE 18 vs ISAE 3402:
Which SOC 1 Standard Does Your Business Need?
When your enterprise clients or their auditors ask for a SOC 1 report, they're referring to either SSAE 18 (the US standard) or ISAE 3402 (the international equivalent). For many organizations — especially those serving global clients — understanding which standard applies (and when you need both) is critical to achieving compliance.
What is SSAE 18?
SSAE 18 (Statements on Standards for Attestation Engagements No. 18) is the current US standard for SOC 1 reports, issued by the American Institute of Certified Public Accountants (AICPA). It is codified under AT-C Section 320 and governs engagements where a US-registered CPA firm issues a service organization control report to clients in the United States.
SSAE 18 superseded SSAE 16 in 2017 and introduced enhanced requirements around complementary subservice organization controls (CSOCs) and vendor risk management — reflecting the modern reality that most service organizations rely on cloud providers and other vendors.
What is ISAE 3402?
ISAE 3402 (International Standard on Assurance Engagements 3402) is the international equivalent issued by the International Auditing and Assurance Standards Board (IAASB). It is recognized and accepted in the UK, European Union, Australia, Canada, Japan, Singapore and most other countries outside the United States.
The substantive requirements of ISAE 3402 are nearly identical to SSAE 18 — both cover Type 1 and Type 2 reports, both require management's assertion and the service auditor's report, and both have the same control objective structure.
Key Differences
| Factor | SSAE 18 | ISAE 3402 |
|---|---|---|
| Issuing Body | AICPA (USA) | IAASB (International) |
| Geographic Scope | United States | UK, EU, APAC, Canada, Global |
| Report Issuer | US-registered CPA firm | Firm registered under applicable national standards |
| Codification | AT-C Section 320 | ISAE 3402 |
| Predecessor | SSAE 16 / SAS 70 | SAS 70 international |
| Content Overlap | ~95% identical requirements | |
| Combined Report | Available — single report referencing both standards | |
| Availability from KavachOne | ✅ Yes | ✅ Yes |
Which Standard Does Your Business Need?
✅ You Need SSAE 18 When:
- Your clients are primarily US-based companies
- Your clients' external auditors are US CPA firms (Big 4 US, regional US firms)
- Procurement contracts specify "SSAE 18" or "SOC 1" without further qualification
- You are a US-incorporated company primarily serving US enterprises
🌍 You Need ISAE 3402 When:
- Your clients include UK, European, Australian, Canadian or Asian companies
- Your clients' auditors are international firms (PwC UK, KPMG Germany, etc.)
- You are headquartered outside the US and primarily serve non-US clients
- Your procurement contracts specify "ISAE 3402" explicitly
🔄 You Need Both When:
- You serve enterprise clients in both the US and internationally
- You are an India-based company serving US and European clients (very common)
- Your contract portfolio includes requirements from multiple geographies
- Note: A combined SSAE 18 / ISAE 3402 report from KavachOne covers both at no extra cost
Good news for global organizations: KavachOne can issue a single report that references both SSAE 18 and ISAE 3402 simultaneously — accepted by US auditors and international auditors alike. This is included in our standard service.
The SAS 70 Question
If a client (especially an older enterprise) asks for an "SAS 70 report," they are using outdated terminology. SAS 70 was retired in 2011 and replaced by SSAE 16, which was then superseded by SSAE 18. The current equivalent of what they need is a SOC 1 report under SSAE 18. KavachOne's reports include a cover letter explaining this evolution when required.
Get Your SSAE 18 / ISAE 3402 SOC 1 Report
KavachOne — registered US CPA firm — issues reports accepted worldwide. Single engagement, dual-standard coverage. Starting at $2,500.