June 18, 2018

As of June 15, 2011, SSAE 16 has replaced the SAS 70, becoming the effective attestation standard used to base audits of a service organization's control environment.

Why is SSAE 16, SOC 1, SOC 2, and SOC 3 needed?

The primary reason for the SSAE 16 (SOC 1), SOC 2 and SOC 3 audits is to provide assurance to a third party and their auditors that a Company providing an outsourced service is doing so with proper controls in place to prevent financial misstatements and provide an appropriate level of security, availability, processing integrity, confidentiality, and/or privacy.

I have a SAS 70, What Now?

If you have recently performed a SAS 70 or are relying upon another company's SAS 70 report, the next report received should be performed under the SSAE 16 guidance and provided as a SOC 1 Report. Depending upon the outsourced service performed, the SOC 2 and SOC 3 reports are new options which may be a better fit for your organization.

Service Organizations:
The changes impacting the Service Organizations (the provider of the outsourced service) may appear minor, however, they are now required to choose between 3 report types (SOC 1, SOC 2, or SOC 3), which can drive control and compliance requirements. Additionally, Management is now required to attest to the operating effectiveness of the business's controls and report any known deficiencies, increasing their responsibility.

User Organizations:
User Organizations (the user of the outsourced service) will have increased confidence in the report and effectiveness of the Service Organization's controls as their Management is now required to attest to their controls in addition to the Auditor. Additionally, with the new report types, you will have a clearer understanding of the controls in place and receive a more effective report for your auditors.

The switch from SAS 70 to SSAE 16 (SOC 1), SOC 2, or SOC 3 is necessary and choosing the correct report is fundamental to meeting the compliance expectations of user organizations. If you have not talked to a service provider about making the transition, please complete the form on your right hand side and allow us to assist in the process.

Does My Business Require an Audit?

If your business performs outsourced services for another company, especially a public company, the answer is most likely yes depending upon the materiality and/or criticality of the services performed. Some example industries / services that typically would benefit from having either a SOC 1, SOC 2, or SOC 3 performed include:
  • Application Service / Hosting Providers
  • Asset Management
  • Benefits Administrators
  • Claims Filing Administration & Processing
  • Clearinghouses
  • Collection Agencies
  • Co-locations / Data Centers
  • Computer Hardware and Software
  • Credit Card Processing
  • e-Commerce Providers
  • Electronic Payment Systems
  • Financial Services
  • Gaming/Government Lotteries
  • Information and Records Management
  • Insurance and Financial Services
  • Payroll Service Providers
  • Pension Administrators
  • Print / Mail Fulfillment Houses
  • Software as a Service (SAAS) Providers
  • Third Party Administrators