The Statement on Standards for Attestation Engagements (SSAE) No. 16 and the Service Organization Controls (SOC) reporting framework are critical topics for service organizations.
SSAE 16 is the new standard for creating a SOC 1 report and, in effect, replaces SAS 70 reports. SSAE 16 provides user organizations with a strong sense of comfort about the processes performed by service organizations relevant to financial reporting controls.
Three SOC reports are available and address different purposes and audiences. Our professionals can assist you with the transition from SAS 70 to SSAE 16 / SOC 1 reporting or demonstrating controls over critical services not impacting your financial statements with a SOC 2 or 3 report.
SOC reporting services
SOC 1 reports (SSAE 16, previously SAS 70)
- Purpose: Reports on the controls of the service organization that are relevant to the user organization's financial reporting.
- Information required: Details on the system, controls, and tests performed by the service auditor, and results of those tests.
- Audience: User organization's controllers, compliance officers, CFO, CIO, and financial statement auditors
SOC 2 reports
- Purpose: Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria*
- Information required: Details the system, controls, and test performed by the service auditor, and results of those tests
- Audience: User organization's controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners
SOC 3 reports
- Purpose: Same purpose as SOC 2 report
- Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
- Audience: Unrestricted and can be viewed by anyone who would like confidence in the controls for the service organization
*Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.