A version of this article was first published on HIPAA Vault’s
Statements on Standards for Attestation Engagements No. 16 (SSAE 16) is a reporting standard created by the American Institute of Certified Public Accountants (AICPA) for all service auditors and organizations (to include data center facilities) throughout the United States. SSAE 16 requires a written assertion from the service company accurately describing the operational effectiveness of their organizational controls. This description is to consist of services provided by the organization, along with all applicable operational activities which affect services used by customers of the organization. Service organizations also need to declare that the description properly describes the control objectives in accordance with the associated time period when they are to be assessed.
Based on AICPA reporting standards, when an audit is conducted under SSAE 16, a Service Organization Control (SOC) report is produced. These reports focus on internal controls and financial reporting and are available as Type 1 or Type 2 reports. Type 1 reports provide assessments which took place on a specific date, such as February 12, 20xx, while Type 2 reports will cover a broader scope generally know as a “testing period”. This could be anytime from one week, to one month, to one year. Type 1 reports only show the assessor’s perspective with regards to the accuracy and completeness of the service description provided by the organization, along with the applicability of the design of controls based on a specific date. While Type 2 reports not only cover the Type 1 details, it also provides auditing results of the operational effectiveness of those controls throughout a defined time period, usually between six months and a year.
SOC data center compliance has become a mandatory requirement for many facilities throughout North America that offer co-location services offerings. SOC reports present and validate that data centers use a high level of assurance that is secure, highly available, and operating under a consistent set of high-integrity processes. As such, heavy regulatory compliance burdens continue to be levied upon such facilities, with assurance reporting being the standardized SSAE 16 auditing standard.
SOC 1 assessment are based on financial reporting of service organizations, SOC 2 assessments targets technology-oriented service organizations with granular details about the security controls used. SOC 3 assessments focus on similar results from the SOC 2 report from a higher echelon perspective.
| SOC 1 | SOC 2 | SOC 3 |
|---|---|---|
| Restricted Use Report | Generally a Restricted Use Report | General Use Report |
| Purpose: Reports on controls for Financial Statements audits | Purpose: Reports on controls related to compliance or operations | Purpose: Reports on controls related to compliance or operations |
SOC 1
- Reports on service organization controls relevant to financial reporting
- Restricted only to management personnel for service organizations, user entities, and user auditors
SOC 2
- Reports on service organization controls relevant to security, availability, processing integrity, confidentiality, privacy
- Provides description of service auditor’s control testing and results thereafter
SOC 3
- Covers an overview of SOC 2 report
- Service auditor’s control testing and results are not included
| Who uses this | Why do they | What is covered | |
| SOC 1 | Management of the service organization, user entities, and auditors | Audit of financial statement | Controls relevant to user entity financial reporting |
| SOC 2 | Management of the service organization and user entities, Regulators, Others | Governance, risk, and compliance programs; Oversight; Due diligence | Concerns regarding a system’s security, availability, processing, integrity, confidentiality, or privacy |
| SOC 3 | Any users with need for confidence in the security, availability, processing, integrity, confidentiality, or privacy of a service organization’s system(s) | Marketing purposes; details not particularly needed | Seal of approval, along with reporting on service controls |