SSAE 16/SOC 1 and Trust Services Principles - SOC 2/SOC 3 - Both are Valuable Reports to User Entities


By Donald Owens

With the retirement of SAS 70 and the installment of the Service Organization Control (SOC) examinations, the AICPA has established three service organization control (SOC) reporting options (SOC 1, SOC 2, and SOC 3) to meet the varying information and assurance needs of entities that use service organizations. Although these examinations have been effective for service auditor’s reports with periods ending on or after June 15, 2011, much confusion remains in the market as to how a single SAS 70 examination has evolved into very distinct and separate SOC examinations. Taking its lead from the many requirements mandated by the Sarbanes-Oxley Act that are enforced through the SEC and PCAOB, the AICPA recognized short comings in the SAS 70 audits. Specially, reporting on controls at a service organization relevant to user entities’ internal control over financial reporting, in many, cases were not properly covered in the SAS 70 audits. To address this concern, the AICPA issued Statement on Standards for Attestation Engagements (SSAE) No. 16, which focuses on controls at service organizations and results in the issuance of a SOC 1 report.

Not ignoring the reliance and trust user entities place in service organizations for technology support, the AICPA, drawing from the criteria of Trust Systems Principles (TSP) 100, established SOC 2 and 3 examinations (SOC 3 examinations address the same subject matter as SOC 2 engagements). Both SOC 2 and SOC 3 examinations address controls at a service organization related to the security, availability, processing integrity confidentiality, and/or privacy of the information processed on behalf of user entities.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.