By Gil Vidals, , HIPAA Blog, Resources

SSAE 16, or Statements on Standards for Attestation Engagements No. 16, is a reporting standard created by the American Institute of Certified Public Accountants (AICPA) for all service auditors and organizations (to include data center facilities) throughout the United States.

SSAE 16 requires a written assertion from the service company accurately describing the operational effectiveness of their organizational controls. This description is to consist of services provided by the organization, along with all applicable operational activities which affect services used by customers of the organization.

Service organizations also need to declare that the description properly describes the control objectives in accordance with the associated time period when they are to be assessed.

Based on AICPA reporting standards, when an audit is conducted under SSAE 16, a Service Organization Control (SOC) report is produced. These reports focus on internal controls and financial reporting and are available as Type 1 or Type 2 reports.

Type 1 reports provide assessments that took place on a specific date, such as February 12, 20xx, while Type 2 reports will cover a broader scope generally know as a “testing period.” This could be anytime from one week to one month, to one year.

Type 1 reports only show the assessor’s perspective with regards to the accuracy and completeness of the service description provided by the organization, along with the applicability of the design of controls based on a specific date.

Type 2 reports not only cover the Type 1 details, they also provide auditing results of the operational effectiveness of those controls throughout a defined time period, usually between six months and a year.

SOC data center compliance has become a mandatory requirement for many facilities throughout North America that offer co-location services offerings. SOC reports present and validate that data centers use a high level of assurance that is secure, highly available, and operating under a consistent set of high-integrity processes.

As such, heavy regulatory compliance burdens continue to be levied upon such facilities, with assurance reporting being the standardized SSAE 16 auditing standard.

SOC 1 assessments are based on financial reporting of service organizations; SOC 2 assessments target technology-oriented service organizations with granular details about the security controls used. SOC 3 assessments focus on similar results from the SOC 2 report from a higher echelon perspective.

SOC 1SOC 2SOC 3
Restricted Use ReportGenerally a Restricted Use ReportGeneral Use Report
Purpose:

 

Reports on controls for Financial Statements audits

Purpose:

 

Reports on controls related to compliance or operations

Purpose:

 

Reports on controls related to compliance or operations

SOC 1

  • Reports on service organization controls relevant to financial reporting
  • Restricted only to management personnel for service organizations, user entities, and user auditors

SOC 2

  • Reports on service organization controls relevant to security, availability, processing integrity, confidentiality, privacy
  • Provides a description of service auditor’s control testing and results thereafter

SOC 3

  • Covers an overview of SOC 2 report
  • Service auditor’s control testing and results are not included
 Who uses thisWhy do theyWhat is covered
SOC 1Management of the service organization, user entities, and auditorsAudit of financial statementControls relevant to user entity financial reporting
SOC 2Management of the service organization and user entities, Regulators, OthersGovernance, risk, and compliance programs; Oversight; Due diligenceConcerns regarding a system’s security, availability, processing, integrity, confidentiality, or privacy
SOC 3Any users with a need for confidence in the security, availability, processing, integrity, confidentiality, or privacy of a service organization’s system(s)Marketing purposes; details not particularly neededSeal of approval, along with reporting on service controls
Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.

Chrome Leverages HTTP Warnings to Secure Users with HTTPS
March 19, 2018
Increase Database Security by Removing Default User Logins
March 21, 2018