To A Better Understanding Of SSAE 16 (SOC 1), SOC 2 And SOC 3

“The Cliff Notes Version”To a Better Understanding of SSAE 16 (SOC 1), SOC 2 and SOC 3In June of 2011, the American Institute of Certified Public Accountants (AICPA) released itsService Organization Controls (SOC) reporting structure. SOC 1, also known as Statements onStandards for Attestation Engagements No. 16 is better known throughout serviceorganizations as SSAE 16 and the successor to SAS 70. Like anything relatively new there areplenty of questions and opportunity for clarifications from an experienced CPA firm such asSSAE 16 Professionals, LLP.The professionals at SSAE 16 Professionals, LLP are honored to share and be a resource for anyinformation regarding SSAE 16 as well as other value-added audit/compliance services. We areone of the nation's leading PCAOB registered CPA firms performing SSAE 16 (SOC 1), SOC 2 andSOC 3 audits. The following is very basic or the “Cliff Notes” version of information that wehope you find helpful regardless of your SSAE 16 knowledge level. Also, we are available forfollow-up or to answer any further questions you may have.Since mid 2011, SSAE 16 (SOC 1) replaced an aging SAS 70 and is here to stay. Rapid changeswithin service organizations facilitated the evolution to SSAE 16 where controls and relatedassertions need to be based on relevant internal control over financial reporting (ICFR). This hasled service organizations to restructure their control objectives and acquire formal certificationto satisfy and comply with the newly evolved standards. For service organizations today, SSAE16 calls for a description of its “system”. This basically describes the policies and procedures inplace, along with personnel and operational functions with consideration to services providedthat are relevant to current and future user entities. This is far more detailed andcomprehensive than SAS 70’s description of “controls”. Also, unlike SAS 70’s perceived “onesize fits all” approach, the new AICPA SOC framework now provides for multiple SSAE 16reporting options. Service organizations are now required to effectively choose between SSAE16 (SOC 1), SOC 2 and SOC 3. Consultation with an experienced CPA firm such as SSAE 16Professionals, LLP can assist in deciding which report or reports best supports the organizationsobjectives.

Understanding the Basics of SSAE 16 (SOC 1)Let’s assume we are referring to an organization within any of the industries that fall under theservice organization umbrella whose services impact its clients’ ICFR. With a corporateobjective to best position their organization for continued growth, client confidence, and theability to serve a broader range of clients, SSAE 16 (SOC 1) audit fully supports this objectivewith a proven and very strong return on investment (ROI). The first step towards an SSAE 16(SOC 1) audit requires the organization to identify what services and controls are in place thataffects the ICFR for clients that utilize their services. This is a rigorous process that is dedicatedto the achievement and recognition that your services meet a minimum set of standards asidentified and evaluated in the service auditor’s report.As with past SAS 70 reports, both SSAE 16 (SOC 1) Type I and SSAE 16 (SOC 1) Type II reportscan be issued depending on the specific requirements and objectives of the serviceorganization. Both report types add value and credibility to a service organization’s coreactivities with the following differences: Type I is a report on policies and procedures placed in operation as of a specified “pointin time”. SSAE 16 Type I reports evaluate the design effectiveness of a service provider’scontrols and then confirms that the controls have been placed in operation as of a“specific date”.Type II is a report on policies and procedures placed in operation and tests of operatingeffectiveness for a “period of time”.Type II reports include the examination and confirmation steps involved in a Type Iexamination plus includes an evaluation of the operating effectiveness of the controlsfor a period of at least six consecutive calendar months. Most user organizations requiretheir service provider to undergo the Type II level examination for the greater level ofassurance and reporting detail it provides.Understanding the Basics of SOC 2For companies providing services that do not impact their clients’ ICFR, the AICPA has issued anInterpretation under AT Section 101 permitting service auditors to issue reports. These reportswill now be considered SOC 2 or SOC 3 reports and focus on controls at a service organizationrelevant to the following principles: Security: The system is protected against unauthorized access (both physical and logical)Availability: The system is available for operation and use as committed or agreed

Processing Integrity: System processing is complete, accurate, timely, and authorizedConfidentiality: Information designated as confidential is protected as committed oragreedPrivacy: Personal information is collected, used, retained, disclosed, and destroyed inconformity with the commitments in the entity’s privacy notice and with criteria setforth in generally accepted privacy principles issued by the AICPA and CICAThis means many companies which have used SAS 70’s in the past, will now need a SOC 2report (e.g. managed service providers, Software as a Service (SaaS), cloud computing, etc.).SOC 2 reports are restricted use reports, which mean use of the reports is restricted to: Management of the service organization (the company who has the SOC 2 performed)User entities of the service organization (customers, regulators, business partners,suppliers, etc.)As with SSAE 16 (SOC 1) reports, SOC 2 Type I and SOC 2 Type II reports can be issued: Type I – a Type I is a report on policies and procedures placed in operation as of aspecified “point in time”. SOC 2 Type I reports evaluate the design effectiveness of aservice provider’s controls and then confirms that the controls have been placed inoperation as of a “specific date”.Type II – a Type II is a report on policies and procedures placed in operation and tests ofoperating effectiveness for a “period of time”. SOC 2 Type II reports include theexamination and confirmation steps involved in a Type I examination plus include anevaluation of the operating effectiveness of the controls for a period of at least sixconsecutive calendar months. Most user organizations require their service provider toundergo the Type II level examination for the greater level of assurance it provides.SOC 3 WebTrust and SysTrust for Service OrganizationsThe Trust Services Principles and Criteria are a set of professional attestation and advisoryservices that form the basis for both the WebTrustTM and SysTrustSM Services. The TrustServices are a broad-based set of principles and criteria put forth jointly by the AmericanInstitute of Certified Public Accountants (AICPA) and the Canadian Institute of CharteredAccountants (CICA) to maintain the privacy and confidentiality of information. In today’s globaleconomy, companies are relying more and more on complex and powerful informationtechnology systems. In order to gain the trust of key stakeholders, many companies choose toundergo a WebTrustTM or SysTrustSM audit which is performed by a licensed CPA when a SOC1 SSAE 16 or SOC 2 AT 101 audit is not appropriate.

WebTrust ReportsThe WebTrust service and report is primarily designed for e-commerce systems and iscomprised of a family of assurance services including: WebTrust Online Privacy. The scope of the assurance engagement includes the relevantonline Privacy principle and criteriaWebTrust Consumer Protection. The scope of the assurance engagement includes boththe Processing Integrity and relevant online Privacy Principles and CriteriaWebTrust. The scope of the assurance engagement includes one or more combinationsof the Principles and Criteria not anticipated aboveWebTrust for Certification Authorities. The scope of the assurance engagement includesthe Principles and related Criteria unique to certification authoritiesSysTrust ReportsAs with the WebTrust service and its respective report, the SOC 3 SysTrust for ServiceOrganizations is comprised of a family of assurance services designed for a wide variety ofinformation technology based systems that are defined by the entity. The scope of thesereports can include one or more of the following Principles and Criteria: Security: The system is protected against unauthorized access (both physical and logical)Availability: The system is available for operation and use as committed or agreedProcessing Integrity: System processing is complete, accurate, timely, and authorizedConfidentiality: Information designated as confidential is protected as committed oragreedPrivacy: Personal information is collected, used, retained, disclosed, and destroyed inconformity with the commitments in the entity’s privacy notice and with criteria setforth in generally accepted privacy principles issued by the AICPA and CICAUnlike a SOC 2 report (which is a restricted use report), WebTrustTM and SysTrustSM reportsare general use reports, which means upon attainment of an unqualified report, they can befreely distributed or posted on a website as a seal for one full-calendar year from the date ofissue.It is important to note that many companies undergoing a SOC 1, SOC 2 or SOC 3 audit for thefirst time choose to perform a Readiness Assessment prior to undergoing the Type I or Type IIaudit. Also, even though SOC 1 is the clear favorite among most Service Organizations, SOC 2and SOC 3 are very valuable reporting options if needed.

Benefits of successfully completing any SSAE 16 engagement Include: Marketing and competitive advantageOne-time annual auditImproving organizational performance and productivityAbility to perform outsourced services for public and private companiesPotential clients are more likely to trust your company over your competitors who donot have an SSAE 16SSAE 16 (SOC 1), SOC 2, and SOC 3 reports should be viewed as an annual investment into yourcompany with a proven ROI, helping generate new clients while increasing operationalefficiencies through streamlined processes. For more information or answers to any questionsplease feel free to contact a proven and experienced CPA firm such as SSAE 16 Professionals,LLP.About SSAE 16 Professionals, LLPSSAE 16 Professionals, LLP is a leading provider that specializes solely in SSAE 16 (SOC 1) andSOC 2 readiness assessments, SSAE 16 (SOC 1) and SOC 2 Reports, and other IT audit andcompliance reports. Each of our professionals has over 10 years of relevant experience at “Big4” and other large international or regional accounting firms. Each professional is certified as aCPA (Certified Public Accountant), CISA (Certified Information Systems Auditor), CIA (CertifiedInternal Auditor), CISSP (Certified Information Systems Security Professional), CRISC (Certified inRisk and Information Systems Control) and/or MBA (Master of Business Administration). Formore personalized and specific information regarding your business objectives, please feel freeto contact us any time or call (866) 480-9485. We look forward to hearing from you.

LLP. About SSAE 16 Professionals, LLP SSAE 16 Professionals, LLP is a leading provider that specializes solely in SSAE 16 (SOC 1) and SOC 2 readiness assessments, SSAE 16 (SOC 1) and SOC 2 Reports, and other IT audit and compliance reports. Each of our prof