Understanding SSAE18 SOC Reports
Everything you need to know about SSAE18 SOC 1, SOC 2, and SOC 3.
Working with a company, like ABS, who has completed an SSAE18 SOC 2 Type 1 report ensures that your valuable company data is securely managed and stored to safeguard quality of service to your customers.
SSAE18, short for Statement on Standards for Attestation Engagements No. 18., replaced SSAE16 in May of 2017 as the new standard for audit practitioners to perform a variety of attestation reports. Overseen by the The American Institute of Certified Public Accountants (AICPA), SSAE standards are used to regulate how service organizations conduct business, including the storage of sensitive information, and how they report on compliance controls. SSAE18 includes a variety of attestation reports including SOC 1, SOC 2, and SOC 3.
Third-party auditors complete the SOC reports based on the trust services criteria relevant to security, availability, and confidentiality.
The new SSAE18 standards have some key updates from SSAE16, specifically related to a service organization’s disclosure of third party relationships and requirements for ongoing relationship management to monitor third parties. SSAE18 also requires service organizations conduct a risk assessment to highlight the organization’s key internal risks, which should then be addressed and updated to mitigate risk.
To understand the full breadth of SSAE18 standards and the security and trust in assures, it is important to understand the difference between SOC 1, SOC 2, and SOC 3 reports:
SOC 1
“Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting” – AICPA
SSAE18 SOC 1 is a report that informs a service organization’s customers and their customer’s auditors on the controls the service organization has in place to safeguard their customer’s financial statements. A SOC 1 report would be used by a service organization’s customers and their customer’s auditors in order to perform an audit of the customer’s financial statements. SOC 1 includes Type 1 and Type 2 reports:
- SOC 1 Type 1: a report on the credibility and accuracy of how a service organization describes its system and the suitability of the design of their controls to safeguard customer’s financial data.
- SOC 1 Type 2: a report on the credibility and accuracy of how a service organization describes its system and the suitability of the design and operational effectiveness of their controls to safeguard customer’s financial data.
SOC 2
“Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” – AICPA
SSAE18 SOC 2 is a detailed report on the controls of a service organization’s systems used to process customer data and the confidentiality and privacy of the information processed by these systems. This report provides assurance of the security, availability, and process integrity of these systems. SOC 2 reports are intended to be used by service organizations, their customers, and stakeholders to gain confidence and build trust in a service organization’s systems. SOC 2 also includes Type 1 and Type 2 reports:
- SOC 2 Type 1: a report on the credibility and accuracy of how a service organization describes its system and the suitability of the design of their system.
- SOC 2 Type 2: a report on the credibility and accuracy of how a service organization describes its system and the suitability of the design and operational effectiveness of their system.
SOC 3
SSAE18 SOC 3 reports are similar to SOC 2 in that they provide assurance about the controls at a service organization regarding security, availability, processing integrity confidentiality, or privacy, but they do not provide the same degree of detailed information regarding a service organization’s systems. SOC 3 reports can be freely distributed, whereas SOC 2 reports have restrictions on their use.
What does SSAE18 Compliance mean for IT service providers?
SSAE18 sets the standards for how IT service providers should manage their systems to ensure security and privacy of customer data.
Trust and integrity are key to maintaining customer relationships and providing quality customer service. By receiving an SSAE18 SOC 2 report, IT service providers give customers the confidence that their security and privacy are a top priority. This peace-of-mind is what customers need to focus on doing what they do best while leaving IT problems to the experts.
If your business would benefit from the peace-of-mind that comes with working with a company who has received an SSAE18 SOC 2 Type 1 report, schedule a consultation with one of our trusted advisors.