SSAE 16 SOC 2 Reports: How Are They Different From Other SOC Reports?

Fact: More and more organizations are outsourcing business functions to third party providers so they can concentrate on their core business functions, reduce headcount, and ultimately save money. A great example of this is what is called Business Process Outsourcing (BPO) where companies outsource specific business functions to that third party provider. Some common examples of these processes include:

• Payroll
• Customer Service / Support
• Employee Benefits

With this increase in outsourcing specific business functions combined with increased regulatory oversight, more and more organizations are being required to conduct assessments and provide verification of their internal controls. This process and subsequent report is known as an SSAE 16. Inside of this SSAE 16 "shell" are three different SOC (Service Organization Controls) reports that are issued by a CPA firm under guidance from the AICPA. At a very high level, there are three different types of SOC Reports:

• SOC 1
• SOC 2
• SOC 3

While there are other types of reports in each of these SOC reports (we will cover that next week so stay tuned), how do you know which one you need, when you need it, and who is authorized to view it? With the assistance of our partner, Mike Mellor from DiSanto, Priest, & Co., we have included quick breakdown of the differences between these SOC Reports as so you can differentiate between them.

• SOC 1 Report - This type of report is specific to the internal controls around financial statements at a service organization. This is a restricted use report meaning that it cannot be shared with just anyone, only those who are identified in the Restricted Use paragraph of the report
• SOC 2 Report - This type of report is specific to the internal controls at a service organization related to compliance or operations. This report is based on the 5 Trust Principles (Security, Processing Integrity, Confidentiality, Availability, and Privacy). This report is also a restricted use report which means that it cannot be shared with anyone not listed in the Restricted Use paragraph of the report 
• SOC 3 Report - This report is similar to a SOC 2 report, however, it is not restricted use and can be shared with anyone that is looking to review the report. In addition, the SOC 3 report allows a service organization to use the SOC 3 Report and Systrust for Service Organizations Seal on their website

Next week we are going to look specifically at the SOC 2 report as there are two different types of SOC 2 reports. If you have any questions regarding the SOC reporting process, please contact us! Till next week...