SSAE 16, SSAE 18, SOC 1 and SOC 2: Ultimate Guide

Updated: Aug 17

Vector Representation SSAE 16, SSAE 18, SOC 1 and SOC 2
The Ultimate Guide for SSAE 16, SSAE 18, SOC 1 and SOC 2

As computing technologies grow and improve with time, data and infrastructure hosting is getting easier for businesses. Deploying software to production is now faster and a lot more flexible than it used to be. Before cloud technology came to scale, it was almost like reconstructing the ladders each time you needed to go up.

It now takes just a few days to create a full-fledged software and host it on the cloud. But as with everything else, the ease of cloud infrastructure also comes with two sides to it. You got the powerful servers but you don’t really own them. Your critical data (or your customers’) is no longer in your control, it’s out there. With so much risk involved, innovation in maintaining the security, integrity, confidentiality, and privacy of your data is essential. It’s exactly where SSAE 16, SSAE 18, SOC 1, and SOC 2 come into the picture.

What do they signify? Let’s find out.

What is SSAE 16?

SSAE 16 refers to Statements on Standards for Attestation Engagements no. 16.

In simple terms, it’s an auditing standard (or a set of standards) and also involves a descriptive report on organizational controls and processes at service organizations. Unlike earlier standards, SSAE 16 essentially requires a written attestation from a service company. The report represents organizational systems, control objectives, and operational activities directly related to users. Audits are conducted on the basis of SSAE 16 framework applied specifically to System and Organizational Control (SOC 1) reports. SSAE 16 was superseded by SSAE 18 in 2017.

What is SSAE 18?

SSAE 18 came into effect in 2017, as an outcome of the clarity project by the AICPA’s Auditing Standards Board (ASB). It is the current set of standards and guidance that is followed for reporting on organizational controls and operations at service organizations. The aim behind introducing a new standard was to update and simplify previous standards. Similar to SSAE 16, audits done using SSAE 18 also result in SOC 1 reports, but also in SOC 2 and SOC 3 reports (which were previously held under AT 101). Numerous changes have been included in SSAE 18. For ex - SSAE 18 essentially requires that service organizations recognize sub-service organizations and issue risk assessments to auditors.

What is SOC 1?

SOC 1 is a report generated after the audit for SSAE 18, testing a service organization for financial controls. The SOC 1 is primarily aimed around a service provider’s activities and controls that can potentially impact the client’s internal control over their financial reporting (ICFR). The assessment helps establish that both the system and personnel responsible for these controls at the third-party provider are actively straying away from adversely impacting their client’s ICFR. This report is critical to services such as payroll, financial planning and taxation as when outsourced to a third-party provider, such services will have a direct impact on a client’s ICFR.

Try to analyze it this way - if you outsource Human Resources management to a service provider with inefficient controls in place, you risk errors in your internal data. The result will be problematic for you, as in the end, you will be held accountable for those errors.

What is SOC 2?

One of the most important reports for third-party (vendor) data security and SOX compliance is the SOC 2 Audit.

The SOC 2 attestation report(also called audit report) examines a service organization's controls for information security. SOC 2 has defined 5 criteria for managing customer data known as Trust Services Criteria which include security, privacy, availability, processing integrity, and confidentiality.

SOC 2 reports are unique for each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.

These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.

There are two types of SOC reports:

  • Type 1 examines a vendor’s systems for information security controls and validates whether their design is suitable to meet relevant trust principles.

  • Type 2 examines the operational effectiveness of those systems.

While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its role in securing your data cannot be overstated.

Let’s suppose if you use a third-party Human Resources management software, the SOC 2 report verifies the service provider’s ability to keep the records online and the data of your employees secure and in line with your own Information Security Policy.

How can Scrut help?

Scrut Automation is a one-stop shop for compliance. Our software provides the fastest solution for achieving and maintaining standards and compliances, making it an ideal choice for busy startups. Schedule your demo today to see how it works.