Listen to: "The New World Created by SSAE 16"
For many years, a lack of certified reporting standards made the business world a veritable “wild west,” where companies and organizations were free to report and share information how and with whom they chose. This lack of transparency may have served as a benefit to corporate and industry insiders, but it offered consumers and shareholders little in terms of accurate information regarding the internal controls a company had in place, and how those controls safeguarded investors.
Ultimately, the American Institute of Certified Public Accountants (AICPA) took measures to standardize the process and procedures surrounding such reporting. These measures came in the form of auditing standards with which companies were expected to remain compliant.
In 2011, industry changes necessitated an update to the auditing standards. Those updates were presented in the Statement on Standards for Attestation Engagements no. 16, also known as SSAE 16. These new reporting updates took effect on June 15, 2011.
The purpose of SSAE 16 was to help American industries change their reporting standards to be more in line with those currently being practiced internationally. In contrast to the previous reporting standards, SSAE 16 set the expectation that companies and service organizations meet two new requirements:
- Develop a more comprehensive “description of systems” as opposed to the previously required description of controls.
- Create a written assertion outlining how control standards are to be met. This assertion must be crafted by management and contain certain criteria for which management is responsible.
New Reporting Standards
To achieve these new aims, the AICPA offers a three-tiered reporting structure. Those reports are described as follows:
- SOC 1: The SOC 1 report describes the controls in place relevant to a company or service organization’s internal controls over financial reporting. Management identifies any risks presented by internal personnel or processes that are included in the system description.
- SOC 2: The SOC 2 report evaluates the organization’s controls that meet certain criteria applicable to security, availability, processing integrity, confidentiality or privacy. Essentially, this report places the relevant internal processes under the microscope, judging them according to the major components of the Trust Services Principles established by SysTrust and WebTrust, namely:
SOC 2 reports can be issued on any one or all five Trust Services Principles.
- SOC 3: Like SOC 2, the SOC 3 report is also based on the Trust Services Principles. However, SOC 3 is a general-use report that provides the auditor’s report, system description and management assertion on whether the organization’s controls satisfied the trust services criteria (without the description of control tests and results). This report is typically reserved for marketing purposes.
It’s a brave new world of standard reporting. As you embark into this new era, if you don’t have an intimate knowledge of the new standards set forth by the AICPA, you risk encountering major obstacles as you integrate the new protocols into your current reporting systems. We at I.S. Partners, LLC are here to help you with this transition. Our industry experts are well-versed in the challenges presented by SOC 1, 2, and 3 reports, as well as the opportunities that each presents to help you and your company improve your efficiency. Don’t feel that you have to face this transition alone. We invite you put our knowledge and expertise to work for you.