AT Section 101 vs. SOC 1 SSAE 18 often comes up as a topic of conversation because they're both an important component of the AICPA Service Organization Control (SOC) reporting framework. Specifically, SSAE 18 (as of May 1, 2017) is the professional standard used for SOC 1 reporting, while AT Section 101 is the professional standard used for SOC 2 and SOC 3 reporting. And AT Section 101 has only really gained considerable attention because of the AICPA SOC platform, which allows service organizations three reporting options to choose from - SOC 1, SOC 2, and SOC 3. With that said, take note of the following essential points regarding AT Section 101 vs. SOC 1 SSAE 18.
1. AT Section 101 and SOC 2 and SOC 3: As just stated, AT Section 101 is the professional standard used for SOC 2 and SOC 3 reporting. It's a relatively little-known standard, but has now been pushed into the spotlight thanks to the AICPA SOC reporting platform. Look at AT Section 101 as a standard that provides general provisions and guidelines for attesting to a specific subject matter.
2. SOC 1 SSAE 18 and SOC 1: As for SOC 1 SSAE 18, it's much more well-known than AT Section 101, due in large part that it effectively has replaced the two-decade old SAS 70 auditing standard, and also SSAE 16. And though many in the accounting and auditing profession refer to it as simply "SSAE 18 reports", it's technically the professional standard used for issuing SOC 1 reports under the AICPA SOC reporting framework. And much like SSAE 16, SSAE 18 has firmly planted itself as the global de facto reporting standard for service organizations, though the international standard (ISAE 3402) is just as viable in many regards.
3. The SOC 1 vs. SOC 2 Debate: SOC 1 SSAE 18 reports shot out of the gate quickly, replacing SSAE 16 (which replaced SAS 70), and have never looked back. SOC 2 reporting - which uses AT Section 101 - has seen a much slower adoption by service organizations and the accounting and auditing profession as a whole. Time will tell if this changes, but it's important to note that SOC 2 reporting is intended for the growing number of technology companies - data centers, software developers, managed service providers, software as a service (SaaS) entities, and more.
4. Why SOC 1 SSAE 18 Reports are Leading the Pack, but not for Long: A big part of the success of SOC 1 SSAE 18 over SOC 2 AT Section 101 reporting is that of familiarity. Specifically, everyone knew that the SSAE 16 standard (for which SSAE 18 replaced) was effectively replacing the well-known, long-standing SAS 70 auditing standard. As for SOC 2 AT Section 101 reporting, it was quite new – hence – adoption has been slow, but not anymore, as technology companies are moving quickly towards SOC 2 audits.
5. The Future of AT Section 101 vs. SOC 1 SSAE 18: SOC 1 SSAE 18 is full steam ahead – being used by many service organizations for reporting on their control environment. As for SOC 2 AT Section 101 reporting, it has gained incredible momentum in the past few years, and will likely surpass SOC 1 SSAE 18 in terms of relevance and use.
Other important aspects regarding AT Section 101 and SOC 1 SSAE 18 you may want to learn about consist of the following: