The SSAE 16 process, on the surface, sounds confusing. Most of this has to do with the terminology that is used, particularly the similarity of the terms used. In this blog post we are going to cover what the SSAE 16 is, what the different SOC Reports, what are the different types of SOC Reports, and finally what are the 5 Trust Principles.
First, let's define what the SSAE 16 is and provide some background. The SSAE 16 stands for Statement on Standards for Attestation Engagements and is the professional standard outlined by the American Institute of Certified Professional Accountants (AICPA). This version replaced the older, antiquated SAS 70 auditing standard that had been in use for 20+ years. The SSAE 16 and associated Service Organization Control (SOC) Reports are a lightly enforced framework and are not prescriptive in nature, rather they allow for a little more flexibility by the auditing firm based on the nature of the company going through the SSAE 16 engagement.
Under the umbrella of the SSAE 16 engagement are three different types of SOC Reports. These are referred to as a SOC 1, SOC 2, and SOC 3 report. A brief overview of each and what they specifically deal with are listed below:
Where the SSAE 16 process can get confusing, outside of the SOC reports, is the different types of reports contained within each. Both the SOC 1 and SOC 2 reports contain what are called Type I and Type II reports. While these reports look at different controls (SOC 1 = Financial Reporting controls, SOC 2 = All other controls), the types of reports are important to differentiate"
The Type I Report is for a snapshot or point in time where the Type II Report covers a period of reporting, usually 6 months or more. A Type II Report is generally more involved as not only is this a statement of the controls in place but also the testing of those controls.
The last thing that we will hit on in this blog post is the 5 Trust Principles that are a part of the SOC 2 Report. We will cover the specifics of these in greater detail in another blog post, but the 5 Trust Principles and a brief description are:
There is a brief, information packed overview of the SSAE 16 engagement and all that it entails. If you're confused, we can help. If you're not sure what type of SOC report is appropriate, we can help. If you aren't sure what Trust Principles are in scope, you guessed it, we can help. To help prepare you for the SSAE 16 engagement process, contact us! Drop any comments or questions you have below so we can get answers or feedback to you!