Understanding AICPA Audits and Attestations: SSAE 16, SOC 1 vs. SOC 2, and Other Standards

Service organizations that outsource certain services must protect stakeholder information from cybersecurity risks. One of the best methods to demonstrate your ability to do so is adhering to AICPA standards and guidance (commonly assessed via SOC audits). Organizations may wonder which of the standards and assessments best suits their needs: SSAE 16 SOC 1 vs. SOC 2 or other standards? Read on to learn more about the various AICPA attestations.

 

SSAE 16 SOC 1 vs. SOC 2 vs. SOC 3, and Other AICPA Standards

The American Institute of Certified Public Accountants (AICPA) guides CPAs in providing auditing and attestation services to their clients. When preparing audits and attestations, the most important aspects to consider include:

• Updates to and applicability of current AICPA standards 
• Breakdown of AICPA’s SOC 1, 2, and 3 
• Applicability of other AICPA SOC frameworks
• Auditing and attestation based on the Trust Services Criteria (TSC) principles and categories

Completing effective AICPA audits and attestations requires an understanding of the various standards. Depending on your organization’s needs (such as deciding between SSAE 16 SOC 1 vs. SOC 2 reporting), a SOC 2 compliance partner can help you best determine the appropriate reporting standard. 

---

Download Our SOC 2 Compliance Checklist

---

AICPA’s Standards for Audits and Attestations

AICPA standards can help guide the preparation and submission of audit reports for non-issuer organizations (i.e., those that do not currently or intend to issue securities), as defined by the below criteria:

• Organizations deemed non-issuers by the Sarbanes-Oxley Act
• Organizations that do not require audits, per the Public Company Accounting and Oversight Board (PCAOB) 

The AICPA’s Auditing and Standards Board (ASB) is responsible for developing and implementing audit and attestation standards that best serve the audit needs of non-issuers by:

• Developing and updating standards to reflect current non-issuer needs
• Communicating timely guidance to support objective auditing and attestation
• Creating clear drafting conventions to simplify audit and attestation processes

Specific AICPA standards that can help service organizations in preparing financial audits and attestations include:

• Statements on Auditing Standards (SAS)
• Statements on Standards for Attestation Engagements (SSAE)
• Statements on Quality Control Standards (SQCS)

The guidance in the SAS, SSAE, and the SQCS standards helps streamline reporting on audits and engagements.

 

Request a Free Consultation

 

Timeline, Updates, and Applicability for SSAE Nos.16, 18, and 22

The SAS 70 was replaced by the Statements on Standards of Attestations Engagement No. 16 (SSAE No.16), which eventually became System and Organization Control (SOC). SOC auditing and reporting helps assess the integrity of controls used to manage outsourced services.

The three types of SOC reports include:

• SOC 1 (for financial reporting services)
• SOC 2 (for service providers and based on the TSC)
• SOC 3 (for general use and non-technical audiences)

In April 2016, the AICPA issued SSAE No.18, which superseded Nos. 1-17 (except No.10 and 15). By redrafting previous SSAEs and publishing SSAE No.18, the AICPA clarified guidance for service organizations to conduct audits and attestations. 

Specific changes within SSA No.18 include, but are not limited to:

• Inclusion of objectives and definitions to each section
• Improved formatting of sections for better readability
• Addition of considerations that apply to smaller and simpler non-issuers

Per AICPA’s 2020 press release, the SSAE No.22 supersedes No.18 with improvements to:

• Clarification of objectives regarding practitioner review engagements, specifying the need to obtain limited assurance from an engagement 
• Transparency of reporting, requiring disclosure of the processes used by the audit and attestation practitioner to achieve limited assurance
• Reporting, allowing a practitioner to report on adverse review conclusions where misstated

The SSAE No.22 will become effective on or after June 15, 2022, requiring practitioners of audit engagements to update reporting accordingly. Practitioners may use SSAE No.22 earlier than June 2022 only if they apply amendments to AT-C section 105 in SSAE No.21.

AICPA’s System and Organization Controls (1, 2, and 3)

Reporting on AICPA’s SOC frameworks helps service organizations conduct risk assessments of the controls used to manage outsourced services and associated data. Developing robust processes for conducting audits and attestations will assure your clients of the substantial information security you provide. 

Understanding the nature of each SOC reporting framework can help you choose between SSAE 16 SOC 1 vs. SOC 2 reports for engagements.

 

SOC 1: Report on Internal Control Over Financial Reporting

When providing financial reporting processes, you can assess the security and operationality of internal controls via SOC 1 reports. Essentially, SOC 1 reports will demonstrate to your clients that the internal controls and processes used in financial reporting are working as effectively as expected.

Your organization can take advantage of two Types of SOC 1 reports:

• SOC 1 Type 1, which reports on internal controls’ design regarding their effectiveness at a specified time.
• SOC 1 Type 2, which reports on internal controls’ design and effectiveness over a specified period.

SOC 1 reporting can help your organization build more effective financial reporting controls and provide the necessary assurance to clients and customers. However, the sensitivity of financial data in SOC 1 reports requires strict confidentiality during the reporting and auditing process.

 

SOC 2: Report on Controls for Trust Services Criteria

Unlike SOC 1, SOC 2 reports help service organizations demonstrate assurance based on the AICPA Trust Service Criteria (TSC) (see below). SOC 2 reporting can help a service organization assess risks to aspects of:

• Overall leadership and management oversight 
• Vendor relations and operations
• Internal governance and risk management
• Regulatory compliance 

 Similar to SOC 1, SOC 2 reports are broken into two types:

• SOC 2 Type 1, which reports on the design controls regarding their effectiveness at a set time.
• SOC 2 Type 2, which reports on the design and effectiveness of controls over a longer period.

When determining whether to report via SSAE 16 SOC 1 vs. SOC 2, you should understand that SOC 2 reports are amenable to specific organization needs. Each organization must determine the types of standards on which to report based on services provided. 

Working with a trusted SOC 2 compliance advisor will help you identify the appropriate SOC 2 report.

 

SOC 3: Report on Trust Services Criteria for General Use

SOC 3 reports can help provide TSC-based assurance about service organization controls. Unlike SOC 2 reports that are more technical, SOC 3 reports are intended for general use by lay audiences. Additionally, SOC 3 reports do not contain sensitive information and can be openly distributed.

 

Other AICPA System and Organization Controls 

Organizations can also assure clients of the effectiveness of controls by reporting on cybersecurity and supply chain management. Doing so helps identify and address risks to an organization’s overall cybersecurity.

 

SOC for Cybersecurity 

The SOC for Cybersecurity framework helps organizations report on cybersecurity risk management to address any concerns expressed by relevant stakeholders.  

The three components of SOC for cybersecurity reports include:

• Description of cybersecurity management – An organization’s management describes existing processes (along with contextual background) for cybersecurity risk management such as:

• • Methods for identifying information assets
  • Tools to identify cybersecurity risks
  • Implementation of security policies 
• Assertion of cybersecurity management – Provided by an organization’s management to assert whether:
  • Described cybersecurity risk management processes align with description criteria
  • Controls described by management function effectively and in alignment with the control criteria
• Report by the practitioner – The final component is an opinion provided by the reporting practitioner (CPA) to address the accuracy of the second component (i.e., the assertion of cybersecurity management).

SOC for Cybersecurity reporting can help organizations effectively identify and address cybersecurity risks. 

 

SOC for Supply Chain 

Similarly, the SOC for Supply Chain framework helps organizations report on cybersecurity risk controls for supply chain management involving the production, manufacturing, and distribution of goods.

Some of the critical description criteria for SOC for Supply Chain reports include but are not limited to:

• Types of goods involved in an organization’s supply chain process
• “Principal system objectives” that include:
  • Performance specifications of products
  • Requirements involved in production, manufacturing, and distribution
• Sources of system incidents related to ineffective controls and failure to meet principal system objectives
• Significant risks to achieving principal system objectives

SOC for Supply Chain reporting helps organizations, clients, and business partners to identify cybersecurity risks to supply chain management, promoting efficiency in the production, manufacturing, and distribution of goods.

  

AICPA’s Trust Services Criteria for SOC 2, 3, and Other Reports

The Trust Services Criteria (TSC) helps CPAs prepare reports and attestations by providing benchmarks for assessing the effectiveness of controls for a given organization. From the five TSC categories, organizations can choose to report on those categories most relevant to their organization-specific objectives and processes.

When preparing an SSAE 16 report vs. SOC 2, you must keep in mind that only SOC 2 reports utilize the TSC categories.

TSC Trust Services Principles and Categories to Assess for SOC 2

The TSC principles and categories for SOC 2 reporting are broken down as follows:

• Security – A system has appropriate safeguards against unauthorized access to and disclosure of information, especially during:

• Collection, processing, and storage

• Transmission across organizations 

• Availability – System processes can readily perform operations to meet organization-specific objectives and provide goods or services to customers as needed.

• Processing Integrity – A system should perform expected functions with:

• • • Accuracy, validity, and expected completeness
    • No delays and need impairments or alterations to system functions

• Confidentiality – Information processing within a system should protect the confidentiality of information in question, especially for any information categorized as confidential.

• Privacy – Personal information should be safeguarded from unauthorized disclosure based on the privacy criteria, some of which include:

• Proper communication about privacy

• Communication regarding privacy choices

• Collection of personal information per privacy criteria

• Disposal of personal information per privacy criteria  

SOC 2 reporting based on the TSC categories will help improve the effectiveness of auditing and attestation and provide reliable control assurance to stakeholders. A SOC 2 compliance advisor can help you navigate aspects of the TSC principles and categories so you can decide between conducting SSAE 16 SOC 1 vs. SOC 2 reports.

 

TSC Common Criteria Applicable to all Trust Services Principles

The foundation of the TSC categories is the COSO framework, which aims to improve the effectiveness of internal controls and risk management processes. 

The first five of the nine Common Criteria (CC) categories are based on multiple COSO principles. However, the last four CC categories are based on COSO Principle 12, which calls for organizations to establish robust policies for managing controls.  

The CC categories are broken down as follows:

• Control Environment Criteria – Management is responsible for overseeing an environment that supports the implementation of effective controls.

• Communication / Information Criteria – An organization is required to establish clear organization-wide lines of communication regarding control implementation. 

• Risk Assessment Criteria – Conducting effective risk assessment helps identify risks to mission-specific objectives. 

• Control Monitoring Criteria – System monitoring should help identify gaps in controls to address any hindrances to meeting objectives. 

• Control Activities Criteria – Activities and processes to maintain controls should identify and address risks to meeting objectives.

• Logical / Physical Access Criteria – Access controls (whether physical or logical) should minimize unauthorized access to sensitive information. 

• System Operations Criteria – Organization-wide systems should have processes for ongoing monitoring of security vulnerabilities, initiating appropriate incident responses for security events.

• Change Management Criteria – Any implementation of organization-wide changes should require appropriate testing and authorization to minimize any risks to mission-specific objectives.

• Risk Mitigation Criteria – An organization is required to implement risk mitigation strategies that minimize business disruption and address risks encountered by third-party partners.

The nine CC categories are critical to meeting the criteria set forth by the TSC principles. Preparing for and conducting SOC 2 assessments based on the CC categories will improve the effectiveness of your controls and address any concerns for relevant stakeholders.

 

TSC Supplemental Criteria Applicable to Individual Principles

The TSC also comprises individual series of criteria for the other Principles:

• Availability Criteria – All systems and relevant information within an organization should be fully operational for stakeholders (e.g., customers, business partners) to access at any time.

• Confidentiality Criteria – Information must be kept confidential at all times if categorized so. Any confidential information must be erased when no longer needed.

• Processing Integrity Criteria – Data processing must function at capacity as defined in the mission-specific objectives.

• Privacy Criteria – All personally identifiable information must be safeguarded during collection, use, and storage, limiting access and disclosure risks.

When applied alongside the CC, the Supplemental Criteria can help strengthen auditing and attestation processes. Your organization will also improve the overall security and effectiveness of system controls.

 

SOC 2 Implementation and Attestation with RSI Security

Regardless of which services your organization outsources, a SOC 2 report will help secure data belonging to various stakeholders. Working with an experienced SOC 2 compliance advisor will help determine which SOC reporting works better for your organization: SSAE 16 SOC 1 vs. SOC 2.

Contact RSI Security today to learn more about SOC 2 implementation and to achieve the best ROI on SOC 2 audits and attestations.