Which SOC Fits Your Company Best?

Share Article

With the change from SAS 70 to SSAE 16 effective June 15, 2011, there are now more choices for service organizations when it comes to undergoing an independent audit of the controls in place surrounding the services the organization provides its clients. Let SSAE 16 Professionals help navigate which Service Organization Controls (SOC) report fits best for the services your company provides.

SSAE 16 Professionals - Delivering SSAE 16 Type I and SSAE 16 Type II Reports

SSAE 16 Professionals

Most business executives prefer a collaborative partner when seeking professional services. SSAE 16 Professionals offers the ultimate value proposition: competitive fees coupled with unparalleled client.

SSAE 16 Professionals is a leading provider that specializes solely in SSAE 16 readiness reviews, SSAE 16 Type I Reports, SSAE 16 Type II Reports, SOC 2 Reports, and SOC 3 Reports. Under the previous guidelines, a SAS 70 audit was used for audits of all types of controls, including operational and regulatory compliance controls. The SOC report used for audits of controls that impact a user organization’s internal controls over financial reporting is called a SOC 1 report. The SOC 1 is synonymous with SSAE 16 and supersedes the SAS 70 audit. The SOC 1 report is a restricted use report generally for use by the user organization and the user organizations’ external auditor. Like the old SAS 70, a SOC 1 can be either a Type I or a Type II.

A SOC 2 is also a restricted use report that falls under the AT 101 guidelines and can also be either a Type I or a Type II. The typical users of a SOC 2 report will include prospective clients of the service organization, management of the service organization, and independent auditors providing services to the user organizations. The SOC 2 audit will cover operational and/or regulatory compliance controls and follows pre-defined Trust Services Principles and Criteria. One or more of the following five control objectives will be covered under a SOC 2 audit: security, availability, processing integrity, privacy, confidentiality.

The SOC 3 is Sys Trust for service organizations and is a general use report (with a public seal) that also falls under the AT 101 guidelines covering controls related to regulatory compliance and/or operations. Like the SOC 2, the SOC 3 also follows pre-defined Trust Services Principles and Criteria. A SOC 3 report documents the auditor’s opinion on whether or not the service organization’s system achieved the trust services criteria (no description of tests and results or opinion on the description of the system). The service organization can distribute the SOC 3 report to its customers and publicly display a SOC 3 seal of approval on its website.

“Most business executives prefer a collaborative partner when seeking professional services,” says Jim Jimenez, Partner at SSAE 16 Professionals. “SSAE 16 Professionals offers the ultimate value proposition: competitive fees coupled with unparalleled client service and expertise.”

SSAE 16 and SOC 2 Readiness Reviews
SSAE 16 and SOC 2 Readiness Reviews are consulting engagements that are designed to assist service organizations in assessing their preparedness for a SSAE 16 or SOC 2 audit. SSAE 16 Professionals works collaboratively with management teams to perform a detailed readiness review and provide a gap matrix that identifies controls that would pass right away, controls that would partially fail, and controls that would fail and require remediation (in priority order with recommendations for remediation). Some firms go right into the SSAE 16 and realize there are issues which result in a qualified opinion. By that time, the service organization has spent a lot of time and money only to get a qualified report (which is useless to both the service organizations and its clients).

SSAE 16 and SOC 2 Type I and Type II Reports
In addition to Readiness Reviews, SSAE 16 Professionals completes both SSAE 16 and SOC 2 Type I and Type II Reports.

  •     SSAE 16 and SOC 2 Type I Reports - A report on policies and procedures placed in operation as of a specified point in time. SSAE 16 Type I Reports evaluate the design effectiveness of a service provider’s controls and then confirms that these controls have been placed in operation as of a specific date.
  •      SSAE 16 and SOC 2 Type II Reports - A report on policies and procedures placed in operation and tests of operating effectiveness for a period of time. SSAE 16 Type II Reports include the examination and confirmation steps involved in a Type I examination plus include an evaluation of the effectiveness of the controls for a period of at least six calendar months. Most user organizations require their service provider to undergo the Type II level examination for the greater level of assurance it provides.

About SSAE 16 Professionals
SSAE 16 Professionals is one of the nation’s leading firms specializing solely in SSAE 16 audits and readiness assessments. Each of our professionals has over 10 years of relevant experience at “Big 4” and other large international or regional accounting firms. Each professional is certified as a CPA (Certified Public Accountant), CISA (Certified Information Systems Auditor), CIA (Certified Internal Auditor), CISSP (Certified Information Systems Security Professional), and/or MBA (Master of Business Administration). For more information, please visit http://www.SSAE16Professionals.com.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jim Jimenez - Managing Partner
Visit website