SSAE 16 SOC 2 Reports: What Are They?

The SSAE 16 process, on the surface, sounds confusing. Most of this has to do with the terminology that is used, particularly the similarity of the terms used. In this blog post we are going to cover what the SSAE 16 is, what the different SOC Reports, what are the different types of SOC Reports, and finally what are the 5 Trust Principles. 

First, let's define what the SSAE 16 is and provide some background. The SSAE 16 stands for Statement on Standards for Attestation Engagements and is the professional standard outlined by the American Institute of Certified Professional Accountants (AICPA). This version replaced the older, antiquated SAS 70 auditing standard that had been in use for 20+ years. The SSAE 16 and associated Service Organization Control (SOC) Reports are a lightly enforced framework and are not prescriptive in nature, rather they allow for a little more flexibility by the auditing firm based on the nature of the company going through the SSAE 16 engagement. 

Under the umbrella of the SSAE 16 engagement are three different types of SOC Reports. These are referred to as a SOC 1, SOC 2, and SOC 3 report. A brief overview of each and what they specifically deal with are listed below:

• SOC 1 Report - These reports deal specifically with controls that are relevant to internal controls over financial reporting. 
• SOC 2 Report - These reports deal with controls that fall outside the area of internal controls over financial reporting. Specifically they address reports on controls at a service organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (The 5 trust principles). This is the report that Compass assists with as it deals heavily with controls around IT Security, as evidenced by the 5 trust principles.
• SOC 3 Report - These reports are general use reports, typically very short in nature, that can be freely distributed to clients and prospects and are often times what is seen on a company's website to demonstrate their completion of the SSAE 16 engagement.

Where the SSAE 16 process can get confusing, outside of the SOC reports, is the different types of reports contained within each. Both the SOC 1 and SOC 2 reports contain what are called Type I and Type II reports. While these reports look at different controls (SOC 1 = Financial Reporting controls, SOC 2 = All other controls), the types of reports are important to differentiate"

• Type I Reports - A Type I report is officially known as "A report on the fairness of the presentation of management's description of a service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date" by the AICPA within a specified date range
• Type II Reports - A Type II report is officially defined as "A report on the fairness of the presentation of management's description of a service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period of time" by the AICPA

The Type I Report is for a snapshot or point in time where the Type II Report covers a period of reporting, usually 6 months or more. A Type II Report is generally more involved as not only is this a statement of the controls in place but also the testing of those controls.

The last thing that we will hit on in this blog post is the 5 Trust Principles that are a part of the SOC 2 Report. We will cover the specifics of these in greater detail in another blog post, but the 5 Trust Principles and a brief description are:

• Security - The system is protected against unauthorized physical and logical access
• Availability - The system is available for use as committed or agreed upon
• Processing Integrity - Processing within the system is complete, accurate, timely and authorized
• Confidentiality - Information within the system deemed confidential is protected
• Privacy - Personal information is collected, used, retained, disclosed, and destroyed as outlined in the organizations privacy notice and with criteria issued by the AICPA and CICA

There is a brief, information packed overview of the SSAE 16 engagement and all that it entails. If you're confused, we can help. If you're not sure what type of SOC report is appropriate, we can help. If you aren't sure what Trust Principles are in scope, you guessed it, we can help. To help prepare you for the SSAE 16 engagement process, contact us! Drop any comments or questions you have below so we can get answers or feedback to you!