By Gil Vidals, , HIPAA Blog, Resources

SSAE 16, or Statements on Standards for Attestation Engagements No. 16, is a reporting standard created by the American Institute of Certified Public Accountants (AICPA) for all service auditors and organizations (to include data center facilities) throughout the United States.

SSAE 16 requires a written assertion from the service company accurately describing the operational effectiveness of their organizational controls. This description is to consist of services provided by the organization, along with all applicable operational activities which affect services used by customers of the organization.

Service organizations also need to declare that the description properly describes the control objectives in accordance with the associated time period when they are to be assessed.

Based on AICPA reporting standards, when an audit is conducted under SSAE 16, a Service Organization Control (SOC) report is produced. These reports focus on internal controls and financial reporting and are available as Type 1 or Type 2 reports.

Type 1 reports provide assessments that took place on a specific date, such as February 12, 20xx, while Type 2 reports will cover a broader scope generally know as a “testing period.” This could be anytime from one week to one month, to one year.

Type 1 reports only show the assessor’s perspective with regards to the accuracy and completeness of the service description provided by the organization, along with the applicability of the design of controls based on a specific date.

Type 2 reports not only cover the Type 1 details, they also provide auditing results of the operational effectiveness of those controls throughout a defined time period, usually between six months and a year.

SOC data center compliance has become a mandatory requirement for many facilities throughout North America that offer co-location services offerings. SOC reports present and validate that data centers use a high level of assurance that is secure, highly available, and operating under a consistent set of high-integrity processes.

As such, heavy regulatory compliance burdens continue to be levied upon such facilities, with assurance reporting being the standardized SSAE 16 auditing standard.

SOC 1 assessments are based on financial reporting of service organizations; SOC 2 assessments target technology-oriented service organizations with granular details about the security controls used. SOC 3 assessments focus on similar results from the SOC 2 report from a higher echelon perspective.

Restricted Use ReportGenerally a Restricted Use ReportGeneral Use Report


Reports on controls for Financial Statements audits



Reports on controls related to compliance or operations



Reports on controls related to compliance or operations


  • Reports on service organization controls relevant to financial reporting
  • Restricted only to management personnel for service organizations, user entities, and user auditors


  • Reports on service organization controls relevant to security, availability, processing integrity, confidentiality, privacy
  • Provides a description of service auditor’s control testing and results thereafter


  • Covers an overview of SOC 2 report
  • Service auditor’s control testing and results are not included
 Who uses thisWhy do theyWhat is covered
SOC 1Management of the service organization, user entities, and auditorsAudit of financial statementControls relevant to user entity financial reporting
SOC 2Management of the service organization and user entities, Regulators, OthersGovernance, risk, and compliance programs; Oversight; Due diligenceConcerns regarding a system’s security, availability, processing, integrity, confidentiality, or privacy
SOC 3Any users with a need for confidence in the security, availability, processing, integrity, confidentiality, or privacy of a service organization’s system(s)Marketing purposes; details not particularly neededSeal of approval, along with reporting on service controls