SOC 2 Audit Understanding: Purpose and Report Variation from SSAE 16 (SOC 1)

Share Article

Since the American Institute of Certified Public Accountants (AICPA) released its Service Organization Controls (SOC) reporting structure in June of 2011, there has been a constant request for more information and interpretation. Understanding SOC 2 audits audits and determining which report variation best serves a given organization can be a daunting task.

Delivering SSAE 16 Type I and Type II Reports

SSAE 16 Professionals, LLP

SSAE 16 Professionals, LLP is a leading provider that specializes solely in SSAE 16 (SOC 1) and SOC 2 readiness assessments, SSAE 16 (SOC 1) and SOC 2 Reports, and other IT audit and compliance reports.

As an experienced PCAOB registered CPA firm, the professionals at SSAE 16 Professionals, LLP wish to share some information to facilitate a better understanding of SOC 2 audits.

A Brief SOC 2 Background

Unlike the past SAS 70’s perceived “one size fits all” approach, the new AICPA SOC framework now provides for multiple reporting options. For service organizations today, SSAE 16 audits, also known as SOC 1 audits retain the original purpose of SAS 70 by providing a means of reporting on the system of internal control for purposes of complying with internal controls over financial reporting (ICFR). However, the services provided by many service organizations may not impact ICFR. In these instances, a SOC 2 report will be a better fit for service organizations.    

Service organizations are now required to effectively choose between SSAE16, SOC 2 and SOC 3. Consultation with an experienced CPA firm such as SSAE 16 Professionals, LLP can assist in deciding which report, or reports, best supports the service organizations objectives.

Understanding the Basics of SOC 2

For companies providing services that do not impact their clients’ ICFR, the AICPA has issued an Interpretation under AT Section 101 permitting service auditors to issue reports. These reports will now be considered SOC 2 or SOC 3 reports and focus on controls at a service organization relevant to the following principles:

  •     Security: The system is protected against unauthorized access (both physical and logical)
  •     Availability: The system is available for operation and use as committed or agreed
  •     Processing Integrity: System processing is complete, accurate, timely, and authorized
  •     Confidentiality: Information designated as confidential is protected as committed or agreed
  •     Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA

This means many companies which have used SAS 70’s in the past, will now need a SOC 2 report (e.g. managed service providers, Software as a Service (SaaS), cloud computing, etc.). In fact, some user organizations (clients/customers of the service organization) are requesting the service organization to perform both a SSAE 16 (SOC 1) and SOC 2 reports. SOC 2 reports are restricted use reports, which mean use of the reports is restricted to:

  •     Management of the service organization (the company who has the SOC 2 performed)
  •     User entities of the service organization (customers, regulators, business partners, suppliers, etc.)

As with SSAE 16 (SOC 1) reports, SOC 2 Type I and SOC 2 Type II reports can be issued:

  •     Type I – a Type I is a report on policies and procedures placed in operation as of a specified “point in time”. SOC 2 Type I reports evaluate the design effectiveness of a service provider’s controls and then confirms that the controls have been placed in operation as of a “specific date”.
  •     Type II – a Type II is a report on policies and procedures placed in operation and tests of operating effectiveness for a “period of time”.

o    SOC 2 Type II reports include the examination and confirmation steps involved in a Type I examination plus include an evaluation of the operating effectiveness of the controls for a period of at least six consecutive calendar months. Most user organizations require their service provider to undergo the Type II level examination for the greater level of assurance it provides.

About SSAE 16 Professionals, LLP

SSAE 16 Professionals, LLP is a leading provider that specializes solely in SSAE 16 (SOC 1) and SOC 2 readiness assessments, SSAE 16 (SOC 1) and SOC 2 Reports, and other IT audit and compliance reports. Each of our professionals has over 10 years of relevant experience at “Big 4” and other large international or regional accounting firms. Each professional is certified as a CPA (Certified Public Accountant), CISA (Certified Information Systems Auditor), CIA (Certified Internal Auditor), CISSP (Certified Information Systems Security Professional), CRISC (Certified in Risk and Information Systems Control) and/or MBA (Master of Business Administration). For more information, please visit http://www.SSAE16Professionals.com

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jim Jimenez - Managing Partner
Visit website