Statement on Standards for Attestation Engagements (SSAE) No. 16 and Service Organization Controls (SOC) 1 are often used interchangeably. The most significant benefit of SSAE 16 for service organizations is that it allows them to more clearly articulate information about their company and its control environment. In essence, SSAE 16 enables service organizations to present a strong position to its user organization clients about their control environment relevant to processes that impact user organizations’ financial reporting.
SOC 1 reports are performed using the SSAE 16 standard, replacing SAS 70 reports. SSAE 16 is intended to give a user organization information about the processes used by their service organization when performing financial reporting controls that may impact them.
With the introduction of the SOC reporting framework, SOC 2 is emerging as a mainstream report requested by a broad range of user organizations. The benefit of the SOC 2 report for service organizations is that they can now offer clients a separate report focusing on internal controls not related to financial reporting. These reports can help clients better understand internal controls at the service organization related to its system’s security, availability, processing integrity, confidentiality, and privacy. With a SOC 2 report, the definition of the system is broader than in a SOC 1 report, and may also relate to operations. The system is defined by the service provided. The fundamental difference between a SOC 1 and SOC 2 report is that SOC 1 reports on the controls of the service organization that are relevant to the user organization’s financial statement assertions.
Before beginning a SOC 1 or SOC 2 report, organizations should work with their service providers to assess how ready they are for the SOC audits. This preparation includes:
The SOC reporting framework introduces the SOC 3 report, which is an underutilized opportunity for service organizations. The SOC 3 report is very similar to the SOC 2 report; however, a SOC 3 report does not require a detailed description of the controls and the distribution of the report is not restricted.
The SOC 3 report simply reports on whether the service organization achieved one or more of the trust services principles and criteria. This report is considered valuable for a service organization if the organization decides it does not want to reveal the details of its controls or when a user organization requests a SysTrust for Service Organizations seal. The SysTrust seal is a recognized symbol that can be displayed on a service organization’s website after the completion of a SOC 3 report.
*Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.