fbpx
20
Mar
2018

SSAE 16 Audit and SOC Reporting

By HIPAA Vault

Statements on Standards for Attestation Engagements No. 16 (SSAE 16) is a reporting standard created by the American Institute of Certified Public Accountants (AICPA) for all service auditors and organizations (to include data center facilities) throughout the United States. SSAE 16 requires a written assertion from the service company accurately describing the operational effectiveness of their organizational controls. This description is to consist of services provided by the organization, along with all applicable operational activities which affect services used by customers of the organization. Service organizations also need to declare that the description properly describes the control objectives in accordance with the associated time period when they are to be assessed.

Based on AICPA reporting standards, when an audit is conducted under SSAE 16, a Service Organization Control (SOC) report is produced. These reports focus on internal controls and financial reporting and are available as Type 1 or Type 2 reports. Type 1 reports provide assessments which took place on a specific date, such as February 12, 20xx, while Type 2 reports will cover a broader scope generally know as a “testing period”. This could be anytime from one week, to one month, to one year. Type 1 reports only show the assessor’s perspective with regards to the accuracy and completeness of the service description provided by the organization, along with the applicability of the design of controls based on a specific date. While Type 2 reports not only cover the Type 1 details, it also provides auditing results of the operational effectiveness of those controls throughout a defined time period, usually between six months and a year.

SOC data center compliance has become a mandatory requirement for many facilities throughout North America that offer co-location services offerings. SOC reports present and validate that data centers use a high level of assurance that is secure, highly available, and operating under a consistent set of high-integrity processes. As such, heavy regulatory compliance burdens continue to be levied upon such facilities, with assurance reporting being the standardized SSAE 16 auditing standard.

SOC 1 assessment are based on financial reporting of service organizations, SOC 2 assessments targets technology-oriented service organizations with granular details about the security controls used. SOC 3 assessments focus on similar results from the SOC 2 report from a higher echelon perspective.

SOC 1 SOC 2 SOC 3
Restricted Use Report Generally a Restricted Use Report General Use Report
Purpose:

Reports on controls for Financial Statements audits

Purpose:

Reports on controls related to compliance or operations

Purpose:

Reports on controls related to compliance or operations

SOC 1

  • Reports on service organization controls relevant to financial reporting
  • Restricted only to management personnel for service organizations, user entities, and user auditors

SOC 2

  • Reports on service organization controls relevant to security, availability, processing integrity, confidentiality, privacy
  • Provides description of service auditor’s control testing and results thereafter

SOC 3

  • Covers an overview of SOC 2 report
  • Service auditor’s control testing and results are not included
Who uses this Why do they What is covered
SOC 1 Management of the service organization, user entities, and auditors Audit of financial statement Controls relevant to user entity financial reporting
SOC 2 Management of the service organization and user entities, Regulators, Others Governance, risk, and compliance programs; Oversight; Due diligence Concerns regarding a system’s security, availability, processing, integrity, confidentiality, or privacy
SOC 3 Any users with need for confidence in the security, availability, processing, integrity, confidentiality, or privacy of a service organization’s system(s) Marketing purposes; details not particularly needed Seal of approval, along with reporting on service controls
 

Our certifications