Get A Fixed Fee Quote Today Request a Free Quote

  • Home
  • Glossary
  • AT Section 101 | SOC 2 Reports and SOC 3 Reports | ssae16.org

AT Section 101 | SOC 2 Reports and SOC 3 Reports | ssae16.org

AT Section 101 stands for the "Attestation Standards" from section 101 within the codification standards.  In simpler terms, AT Section 101 is the professional attest standard that will be utilized for issuing Service Organization Control (SOC) reports, specifically SOC 1 and SOC 2 reports.  Keep in mind that the new SSAE 16 standard, which falls under the SOC 1 framework, is limited to reporting on internal control over financial reporting (ICFR), while SOC 2 and SOC 3 are used for "Reporting on Controls at a Service Organization over Security, Availability, Processing Integrity,  Confidentiality, or Privacy". Thus, SOC 2 and SOC 3 have their own respective guidance, put out by the AICPA for SOC 2 and jointly by the AICPA and CICA for SOC 3, but they still are to adhere to AT Section 101 as the professional standard.

In short, look at AT Section 101 as the underlying professional framework for issuing a SOC 2 and SOC 3 report, while the audit guides provide the substance, guidelines, and reporting details for each respective SOC report.  Specifically,  the audit guides and supporting material used for SOC 2 and SOC 3 reports are the following;

Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy

Source: http://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/AuditAttest/IndustryspecificGuidance/PRDOVR~PC-0128210/PC-0128210.jsp

Trust Services Principles | Developed jointly by the AICPA and the Canadian Institute of Chartered Accountants (CICA)

Source: http://www.cica.ca/service-and-products/business-opportunities-for-cas/trust-services/item10796.pdf

In summary, AT Section 101 is to be the professional standard for SOC 2 and SOC 3 reporting, while SSAE 16 is the professional standard for SOC 1 reporting.  Please keep in mind that if you are considering undertaking SSAE 16 compliance, you will need to establish a credible "link" between SSAE 16 and the ICFR concept. An SSAE 16 Readiness Assessment by a well-qualified IR CPA can be an excellent starting point.  In short, you'll want to learn about SSAE 16 compliance and the development of control objectives for the engagement if you decide to opt for SOC 1 reporting, rather than SOC 2 or SOC 3.

Lastly, visit these helpful pages to learn more about the new Service Organization Controls (SOC) framework and AT Section 101:

  1. AICPA SOC reporting framework
  2. SOC 1 and SSAE 16
  3. SOC 2
  4. SOC 3
  5. Introduction to AT Section 101
Since 2006, NDNB has been setting the standard for security & compliance regulations