SOC 1, SOC 2, and SOC 3 Reports
What is an SSAE 16?
SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards.
What are the new types of reports?
With the change from SAS 70 to SOC reports, there are now several types of reports that can be issued. Below is a brief summary of each of these SOC reports:
SOC 1 Report
A SOC 1 report examines internal controls at a service organization that impact a user entity’s (your customers) controls over financial reporting. This report is only to be issued when an auditor of your customer needs to gain comfort with your controls to be able to issue audited financial statements. This report can only be used by the auditors of user entities and user entities’ management.
Within SOC 1 reporting, there are Type 1 and Type 2 reports. The Type 1 report identifies the controls at a service organization but does not perform any testing to determine if the controls are operating effectively. Type 2 reports identify the controls and report on the operating effectiveness of these controls based on the testing performed.
AT 101 SOC 2 Report
An AT 101 SOC 2 report provides detail on the controls at a service organization relevant to the trust service principles. The five trust principles are:
The AT 101 SOC 2 report can cover any or all of these principles. A SOC 2 report is typically provided to customers to give them comfort over the controls surrounding the trust service principles. Similar to SOC 1 reporting, both Type 1 and Type 2 reports are available within SOC 2 reporting.
SOC 3 Report
A SOC 3 report is the same procedures as a SOC 2 Type 2 report without the details on the controls. This report is typically used for marketing purposes and there are no restrictions on whom this report can be provided.
For more details on how Compass can help your organization with your SOC Reports, view our
SOC 2 Readiness Approach