If you are involved in information technology and compliance in a heavily regulated industry, or work with larger organizations, you have probably run across the terms SAS 70, SSAE 16, SSAE 18, SOC 1 report, SOC 2 report, Type 1 Report, and Type 2 Report. These terms are frequently abused and misunderstood, even by compliance “experts,” so I’ve written this brief one-page summary. Everything I state below has a direct reference on the AICPA site; I have learned not to trust third-party sources in regards to compliance.
The American Institute of CPAs (AICPA) has issued a series of standards for reporting on the controls implemented by service organizations. These standard were originally known as SAS 70, but in 2011 SAS 70 was replaced by SSAE 16. SOC reports issued on or after May 1, 2017 must be written in accordance with SSAE 18, which is an update to and clarification of SSAE 16.
SSAE/SOC are attestation standards that provide a standard system for documenting an organization’s controls and ensuring that the controls are suitable for their stated purpose. Type 1 reports (see below) also document the effectiveness of the controls. SSAE/SOC are fundamentally different from compliance frameworks like HIPAA/HITECH, ISO or PCI because they don’t lay out specific requirements. Therefore, you shouldn’t really say things like “we are compliant with SSAE 18 SOC 2.” It would be accurate to say, “We are HIPAA compliant and we have an SSAE 18 SOC 2 Type 1 report to prove it.”
The AICPA defines four types of SOC reports.
- SOC 1 reports on an organization’s Internal Control over Financial Reporting (ICFR) If you work in IT, you generally won’t be involved with this type of report, unless you work in finance.
- SOC 1 Type 1 reports on the design, suitability, and effectiveness of an organization’s financial controls cover a specified period of time
- SOC 1 Type 2 reports on the design and suitability of an organization’s financial controls at a specified date
- SOC 2 reports on an organization’s internal controls related to “Security, Availability, Processing Integrity, Confidentiality or Privacy”
- SOC 2 Type 1 reports on the design, suitability, and effectiveness of an organization’s controls cover a specified period of time
- SOC 2 Type 2 reports on document the design and suitability of an organization’s controls at a specified date
- SOC 3 is a high-level summary report of an organization’s controls that can be distributed without fear of compromising confidential information
- SOC for Cybersecurity is a developing standard that’s focused on cybersecurity controls. Despite the fact that this SOC report would be more appropriate than a SOC 2 report for many modern businesses, most compliance programs still request a SOC 2 report instead.
Which Report Applies to You?
The AICPA recognizes that this is confusing, so they have created a page to help you choose the right SOC report.