Audit terminology: SAS 70, SSAE 16, SSAE 18, SOC1, SOC2, Type 1, Type 2

If you are involved in information technology and compliance in a heavily regulated industry,  or work with larger organizations, you have probably run across the terms SAS 70, SSAE 16, SSAE 18, SOC 1 report, SOC 2 report, Type 1 Report, and Type 2 Report. These terms are frequently abused and misunderstood, even by compliance “experts,” so I’ve written this brief one-page summary. Everything I state below has a direct reference on the AICPA site; I have learned not to trust third-party sources in regards to compliance.

Background

The American Institute of CPAs (AICPA) has issued a series of standards for reporting on the controls implemented by service organizations. These standard were originally known as SAS 70, but in 2011 SAS 70 was replaced by SSAE 16. SOC reports issued on or after May 1, 2017 must be written in accordance with SSAE 18, which is an update to and clarification of SSAE 16.
SSAE/SOC are attestation standards that provide a standard system for documenting an organization’s controls and ensuring that the controls are suitable for their stated purpose. Type 1 reports (see below) also document the effectiveness of the controls. SSAE/SOC are fundamentally different from compliance frameworks like HIPAA/HITECH, ISO or PCI because they don’t lay out specific requirements. Therefore, you shouldn’t really say things like “we are compliant with SSAE 18 SOC 2.” It would be accurate to say, “We are HIPAA compliant and we have an SSAE 18 SOC 2 Type 1 report to prove it.”

SOC Reports

The AICPA defines four types of SOC reports.

Which Report Applies to You?

The AICPA recognizes that this is confusing, so they have created a page to help you choose the right SOC report.
 

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.