SSAE 16 Reports on Controls
A Service Organization Control report (SOC) is an extremely useful description of a company’s controls, processes and procedures. Unlike the former SAS 70 reports, which were intended to be a communication tool between the service organization’s auditor and the user organization’s auditor only, certain SOC reports can be utilized in different capacities based on specific user needs:
- A SOC 1 report is intended to report on controls at a service organization relevant to user entities’ internal control over financial reporting. This report is the most similar to the legacy SAS 70 report that users are now familiar with. There is a Type 1 and Type 2 reporting option for SOC 1 just as with SAS 70. Distribution and use of these reports is restricted to management of the service organization, the user entities and their auditors.
- A SOC 2 report is a report on controls other than those related to financial reporting, such as security, privacy, confidentiality, processing integrity and availability. This report can be restricted in distribution to customers, regulators and others that have an understanding of the service organization and its related controls. Similar to the SOC 1, this report has both a Type 1 and Type 2 option.
- A SOC 3 report is similar to the SOC 2 report, but has no restrictions on distribution or use. It is the ideal report for the service organizations to share with current and prospective customers, business partners, etc., when they wish to demonstrate that they have appropriate controls in place to mitigate risks that may impact a customer. This report will likely be a beneficial marketing piece for which many service organizations had previously used the SAS 70 report.
- A Type I report tests and describes the internal controls that are in place at a service provider and includes an auditor’s opinion on the effectiveness of the design of those controls.
- A Type II report includes the information in a Type I report, but goes a step further. This report actually tests the controls that are in place during a defined period of time in order to reach a conclusion about whether those controls are operating effectively.
Our advisors can assist with all aspects of your SOC reporting needs. Based on your situation we may analyze your practice’s policies and procedures to determine if there are any deficiencies prior to the SOC engagement (Readiness Phase).