PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
Multi exposure of a desk with a computer and world map.
Author Picture
Listen to: "The New World Created by SSAE 16"

For many years, a lack of certified reporting standards made the business world a veritable “wild west,” where companies and organizations were free to report and share information how and with whom they chose. This lack of transparency may have served as a benefit to corporate and industry insiders, but it offered consumers and shareholders little in terms of accurate information regarding the internal controls a company had in place, and how those controls safeguarded investors.

Ultimately, the American Institute of Certified Public Accountants (AICPA) took measures to standardize the process and procedures surrounding such reporting.  These measures came in the form of auditing standards with which companies were expected to remain compliant.

In 2011, industry changes necessitated an update to the auditing standards. Those updates were presented in the Statement on Standards for Attestation Engagements no. 16, also known as SSAE 16. These new reporting updates took effect on June 15, 2011.

The purpose of SSAE 16 was to help American industries change their reporting standards to be more in line with those currently being practiced internationally. In contrast to the previous reporting standards, SSAE 16 set the expectation that companies and service organizations meet two new requirements:

  • Develop a more comprehensive “description of systems” as opposed to the previously required description of controls.
  • Create a written assertion outlining how control standards are to be met. This assertion must be crafted by management and contain certain criteria for which management is responsible.

New Reporting Standards

To achieve these new aims, the AICPA offers a three-tiered reporting structure. Those reports are described as follows:

  • SOC 1: The SOC 1 report describes the controls in place relevant to a company or service organization’s internal controls over financial reporting. Management identifies any risks presented by internal personnel or processes that are included in the system description.
  • SOC 2: The SOC 2 report evaluates the organization’s controls that meet certain criteria applicable to security, availability, processing integrity, confidentiality or privacy. Essentially, this report places the relevant internal processes under the microscope, judging them according to the major components of the Trust Services Principles established by SysTrust and WebTrust, namely:
  • Policies
  • Communications
  • Procedures
  • Monitoring

SOC 2 reports can be issued on any one or all five Trust Services Principles.

  • SOC 3: Like SOC 2, the SOC 3 report is also based on the Trust Services Principles. However, SOC 3 is a general-use report that provides the auditor’s report, system description and management assertion on whether the organization’s controls satisfied the trust services criteria (without the description of control tests and results). This report is typically reserved for marketing purposes.

It’s a brave new world of standard reporting. As you embark into this new era, if you don’t have an intimate knowledge of the new standards set forth by the AICPA, you risk encountering major obstacles as you integrate the new protocols into your current reporting systems. We at I.S. Partners, LLC are here to help you with this transition. Our industry experts are well-versed in the challenges presented by SOC 1, 2, and 3 reports, as well as the opportunities that each presents to help you and your company improve your efficiency. Don’t feel that you have to face this transition alone. We invite you put our knowledge and expertise to work for you.

If your company is in need of an SSAE 16 or you would like to receive more information about I.S. Partners, LLC, please call 215-675-1400 or email us at [email protected]

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal