Risk Advisory

SSAE 16 / SOC 1,2,3

As business becomes more specialized, many companies are extending their reach by leveraging the abilities of other companies through outsourcing. The challenge is to ensure that adequate internal controls are in the place at outsourcing companies. A Service Organization Controls (SOC) report attests to the service organization's controls.

Statement on Standards for Attestation Engagements 16 (SSAE 16) was created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) to define how service companies report on compliance controls.

There are three types of SOC reports to meet the specific needs of different service organizations: 


The SOC 1 report is specific to the service organization's internal controls, likely relevant to financial reporting or internal controls over financial reporting. The report is restricted to existing user entities and their financial auditors and is not intended for potential customers.


The SOC 2 report covers controls beyond financial reporting, such as operational risks. Specifically, the report details one or more of the following five AICPA Trust Services Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy.


The SOC 3 also utilizes the AICPA Trust Services Principles and Criteria, but the report does not include a detailed description of the system's controls. There are no restrictions on the distribution of the report. SOC 3 reports can also be delivered in the form of a seal, which can be displayed on the service organization's website. 

Questions? Ask an expert.

Adele M. Jasion

user    View

Stay up to date with free industry newsletters from GJM