Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

SSAE 16 SOC 1 2 3 can be quite confusing at first, and to be fair, when the American Institute of Certified Public Accountants (AICPA) replaced the antiquated and aging SAS 70 auditing standard,  grumblings as to the who, what, where, and why of SSAE 16 SOC 1 2 3 came about. Let's clear the air about SSAE 16 SOC 1 2 3 and provide you with the following 5 important points you should know about:

1. What exactly does "SSAE 16 SOC 1 2 3" mean? Well, SSAE 16 is part of the new Service Organization Control (SOC) reporting platform put forth by the AICPA, for which there are three (3) reporting options; a SOC 1, SOC 2, or SOC 3.  Confusing? Let's break it down some more!  Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy PacketsThey truly make a big difference in helping service organizations save thousands of dollars on SOC compliance

2. What is SOC 1? SOC 1 is the reporting option for which the SSAE 16 professional standard is used, resulting in a SOC 1 SSAE 16 Type 1 and/or a SOC 1 SSAE 16 Type 2 report. SSAE 16 is essentially the new standard that replaced SAS 70, thus many service organizations are simply migrating from SAS 70 reporting to SSAE 16 reporting.  It's important to note that SSAE 16 is technically geared towards service organizations who have a credible relationship or "nexus" with Internal Control(s) over Financial Reporting; more commonly known as the "ICFR" concept.

3. What is SOC 2? SOC 2 is the reporting option which was specifically designed for many of today's cloud computing, Software as a Service (SaaS),and technology related service organizations.  Because the overall nature, business model and services provided by service organizations themselves has evolved dramatically within the last decade, a new reporting option was greatly needed to facilitate these changes. SOC 2 reporting utilizes the AICPA AT 101 professional standard, and much like SOC 1 reports, a SOC 2 report can be a Type 1 and/or a Type 2. Additionally, much like SOC 3 (discussed below), SOC 2 reports comprise of any number of the five (5) Trust Services Principles, which are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

4. What is SOC 3? SOC 3 is the reporting option that allows service organizations to report on any number of the five (5) Trust Services Principles, which are the following:

•    Security: The system is protected, both logically and physically, against unauthorized access.
•    Availability: The system is available for operation and use as committed or agreed to.
•    Processing Integrity:  System processing is complete, accurate, timely, and authorized.
•    Confidentiality:  Information that is designated “confidential” is protected as committed or agreed.
•    Privacy:  Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

These five (5) Trust Services Principles (TSP) form the framework for what is known as SysTrust/WebTrust audit and assurance services, also known as the Trust Services, which are a broad-based set of principles and criteria put forth jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

5. Which SOC Reporting option should we use? This depends on your organization's reporting needs, what your clients expect and demand, along with other notable issues. While many service organizations are simply migrating from SAS 70 to the SOC 1 SSAE 16 reporting option, it's important you learn about SOC 2 and SOC 3 and if these respective reporting options are more in line with your organizational needs.

We hope you now have a better understanding of what "SSAE 16 SOC 1 2 3" actually means. To learn more about SSAE 16 SOC 1 2 3, or to receive a competitive, fixed fee for all your reporting needs, contact Charles Denyer at 1-800-277-5415, ext. 705 or Christopher G. Nickell at 1-800-277-5415, ext. 706.

Since 2006, NDNB has been setting the standard for security & compliance regulations