The Statement on Standards for Attestation Engagements (SSAE) No. 16 and the Service Organization Controls (SOC) reporting framework are critical topics for service organizations.

SSAE 16 is the new standard for creating a SOC 1 report and, in effect, replaces SAS 70 reports. SSAE 16 provides user organizations with a strong sense of comfort about the processes performed by service organizations relevant to financial reporting controls.

Three SOC reports are available and address different purposes and audiences. Our professionals can assist you with the transition from SAS 70 to SSAE 16 / SOC 1 reporting or demonstrating controls over critical services not impacting your financial statements with a SOC 2 or 3 report.

SOC reporting services

SOC 1 reports (SSAE 16, previously SAS 70)

  • Purpose: Reports on the controls of the service organization that are relevant to the user organization's financial reporting.
  • Information required: Details on the system, controls, and tests performed by the service auditor, and results of those tests.
  • Audience: User organization's controllers, compliance officers, CFO, CIO, and financial statement auditors

SOC 2 reports

  • Purpose: Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria*
  • Information required: Details the system, controls, and test performed by the service auditor, and results of those tests
  • Audience: User organization's controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners

SOC 3 reports

  • Purpose: Same purpose as SOC 2 report
  • Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
  • Audience: Unrestricted and can be viewed by anyone who would like confidence in the controls for the service organization

*Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.


SOC reporting: What service organizations need to know

Strong understanding of SOC 1, 2, and 3 reports is essential to clearly articulate services and internal control processes to user organizations. With a greater focus on internal control by regulators, boards of directors, and others charged with governance, there has been an increase in demand for attestation reports for both controls over financial reporting and other subject matters.

Read more >

Vendor management and the importance of SOC report reviews

The importance of vendor management continues to grow, especially given the rise in outsourcing tasks or entire functions of an organization to a service provider. As such, vendor management is becoming increasingly complex as more vendors are providing more services, often handling sensitive data with specific regulatory requirements. Service Organization Controls (SOC) reports are a key component in the process. However, many organizations simply file them away and fail to perform a critical review of each report.

Learn more >