SSAE16; SOC 1-3 Readiness Assessment

Gain true advisory from independent assessors

Have your clients asked you to provide an SSAE16 Report (Statement on Standards for Attestation Engagements)? Or SOC  Report (Service Organization Controls)? Not sure what that is?

If your Company performs outsourced services that affect the financial statements of another Company or you are hosting critical infrastructure or services, you will most likely be asked to produce a SOC Report. Specifically, if you are in one of following businesses you will most likely require a SOC report (e.g. SSAE 16 or SOC 1, SOC 2, SOC 3).

  • Data Center / Co-Location / Network Monitoring Services
  • Payroll Processing
  • Software as a Service (SaaS)
  • Cloud Based Providers
  • Medical Claims Processors
  • Loan Servicing

As independent assessors, we provide our clients true advisory. We assist our clients in the preparation efforts to become compliant prior to the auditors’ arrival. We provide independent advice on the best practices, controls and policies that should be in place for compliance and ensure our clients a clean audit.

In 1992, the AICPA (American Institute of Certified Public Accountants) provided guidance on how to conduct Service Organization Control (SOC) audits (i.e. SAS 70s). However, In 2011 SAS 70 (Statement of Audit Standards) guidelines were updated and diversified into SSAE 16, SOC 2, SOC 3 and other attestation guidelines.

SSAE 16 became SOC 1 which provides assurance over internal controls for financial reporting. SOC 2 and SOC 3 reports were formalized to provide assurance for other processes outside of internal controls over financial reporting. Specifically: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy following the Trust Principles guidance newly issued by the AICPA in coordination with CICA (Canadian Institute of Chartered Accountants).

Lastly, internationally the ISAE 3402 Standard exists and correlates with SOC1 report requirements