Your security and compliance glossary

All the terms you need to know when you’re trying to get compliance audit ready, fast.

Show filters

What is SSAE 16?

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).


Auditors use SSAE 16 as a guide when creating two specific audit reports: The first is a snapshot to reflect the status of an organization's controls on a particular day, and the second is to incorporate historical data that reflects how controls have changed over time. Auditing standards, like SSAE 16, are used by auditors to guide the discovery of controls, including security controls, in all types of organizations, such as data centers, internet service providers (ISPs) and other entities that incorporate information security controls. The use of such standards is important in order to help both organizations and auditors in demonstrating information security compliance with regulations, such as Sarbanes-Oxley.


Clients use the SSAE 16 standard to pursue a SOC 1 report.

Additional resources you might like:

Comparisons and reviews
Blog
The best ISO 27001 compliance software for 2026

Discover the best ISO 27001 compliance software options for 2026, including Vanta.

Compliance
Blog
7 risk management best practices as regulatory pressure intensifies in 2026

Learn how to align risk management and regulations to navigate the business landscape.

Compliance
Blog
What is a risk register? Best practices for keeping It actionable

Learn what a risk register is and how modern GRC teams should use it.

Additional resources you might like:

Comparisons and reviews
Blog
The best ISO 27001 compliance software for 2026

Discover the best ISO 27001 compliance software options for 2026, including Vanta.

Compliance
Blog
7 risk management best practices as regulatory pressure intensifies in 2026

Learn how to align risk management and regulations to navigate the business landscape.

Compliance
Blog
What is a risk register? Best practices for keeping It actionable

Learn what a risk register is and how modern GRC teams should use it.

Compliance
Blog
What is Enterprise Risk Management (ERM)? Everything you need to know

Explore modern enterprise risk management (ERM) and what makes it a strategic business discipline

GRC
Events
What is GRC Engineering? A fresh take on an old space

Join Lovable and Vanta for an exclusive virtual event on what modern GRC actually looks like when it is done right.

GRC
Blog
Building a risk taxonomy: A guide to classifying risks

Learn how to classify and prioritize risks using a structured risk taxonomy.

GRC
Blog
Understanding inherent risk vs residual risk—and why the gap matters

Learn about inherent and residual risk beyond definitions and see how they influence decisions.

Compliance
Events
Agentic compliance in action with Vanta and Claude

Register to learn how Vanta's MCP Server brings your compliance program directly into Claude.

GRC
Blog
How to write a risk appetite statement in 5 steps

A risk appetite statement isn’t useful unless it drives decisions. Learn how to create one with clear thresholds that help align action with your risk appetite.