Statement on Standards for Attestation Engagements (SSAE) No. 16 and Service Organization Controls (SOC) 1 are often used interchangeably. The most significant benefit of SSAE 16 for service organizations is that it allows them to more clearly articulate information about their company and its control environment. In essence, SSAE 16 enables service organizations to present a strong position to its user organization clients about their control environment relevant to processes that impact user organizations’ financial reporting.
SSAE 16 / SOC 1 report
SOC 1 reports are performed using the SSAE 16 standard, replacing SAS 70 reports. SSAE 16 is intended to give a user organization information about the processes used by their service organization when performing financial reporting controls that may impact them.
SOC 2 report
With the introduction of the SOC reporting framework, SOC 2 is emerging as a mainstream report requested by a broad range of user organizations. The benefit of the SOC 2 report for service organizations is that they can now offer clients a separate report focusing on internal controls not related to financial reporting. These reports can help clients better understand internal controls at the service organization related to its system’s security, availability, processing integrity, confidentiality, and privacy. With a SOC 2 report, the definition of the system is broader than in a SOC 1 report, and may also relate to operations. The system is defined by the service provided. The fundamental difference between a SOC 1 and SOC 2 report is that SOC 1 reports on the controls of the service organization that are relevant to the user organization’s financial statement assertions.
Preparing for SOC 1 and SOC 2 reports
Before beginning a SOC 1 or SOC 2 report, organizations should work with their service providers to assess how ready they are for the SOC audits. This preparation includes:
SOC 1 reports: Complete a mock examination and readiness assessment
- Define control objectives that are relevant to their service and clients’ financial reporting
- Identify control activities supporting the control objectives
- Evaluate control evidence to ensure sufficiency for an examination
- Prepare a gap analysis report specifying any remediation activities to be completed prior to the examination
SOC 2 reports: Complete a mock examination and readiness assessment
- Hold preparatory meetings to determine what trust services principles are most relevant to prospective users of the report, what criteria information is available, and what information should be completed prior to the actual examination
- Assist with the description of compliance and operational controls
- Discuss findings to decide on remediation activities to be completed
SOC 3 report
The SOC reporting framework introduces the SOC 3 report, which is an underutilized opportunity for service organizations. The SOC 3 report is very similar to the SOC 2 report; however, a SOC 3 report does not require a detailed description of the controls and the distribution of the report is not restricted.
The SOC 3 report simply reports on whether the service organization achieved one or more of the trust services principles and criteria. This report is considered valuable for a service organization if the organization decides it does not want to reveal the details of its controls or when a user organization requests a SysTrust for Service Organizations seal. The SysTrust seal is a recognized symbol that can be displayed on a service organization’s website after the completion of a SOC 3 report.