SSAE 16, SOC1, SOC2: Understanding Audit Terminology
When assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.
Audit Terminology Defined
You’ve probably heard several different audit-related terms being used to assess service organizations and data center quality. Here are some of the key terms to be familiar with:
According to NDB LLP, "the Statement on Standards for Attestation Engagements (SSAE) No. 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization's controls are likely to be relevant to a user entities internal control over financial reporting (ICFR).
SSAE 16, along with AT Section 101, form the underlying platform and professional standards for which the AICPA SOC reporting framework is founded on, which consists of SOC 1, SOC 2, and SOC 3 reports."
According to the updated standards, an audit that is conducted under SSAE 16 results in a SOC 1, or Service Organization Control No. 1 report. This report is focused on the internal financial controls of the service provider. SOC 1 reports are intended for use only by existing data center clients and are not recommended for prospective customers or the general public.
SOC 2 provides much more stringent guidelines than SAS 70 or SSAE 16, and is specifically designed to assess the quality of data centers and service organizations. SOC 2 and SOC 3 combined provide a benchmark against which two data center audits can be compared using the same set of relevant criteria – a major enhancement to previous audit standards.
Specifically, SOC 2 reports focus on the service provider’s non-financial controls which are referred to as Trust Service Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. An organization is not required to meet all five of these principles in a SOC 2 engagement, but they do provide a more comprehensive evaluation of the provider and its data centers.
SOC 3 is similar to SOC 2 in that it provides a similar level of assurance regarding the five Trust Service Principles. The primary difference is that a SOC 3 report is intended to be released publicly. As such, it contains a less detailed summary opinion provided by the auditor which gives an overview of the effectiveness of the controls that the data center or service organization has deployed.
SOC reports provide data center operators and service organizations with a more comprehensive set of guidelines on which to base their controls and policies. They also benefit clients and end users, as they provide better assurance that providers are meeting high standards when it comes to security, availability, processing integrity, confidentiality and data privacy. Essentially, these new audit standards have raised the bar, leading to what is sure to be a more effective and efficient future for data center technologies.
*Editor's Note: This article has been updated and was originally published in October 2012 by Dina Ferriero (Eze Castle Integration).