SSAE 16, SSAE18, SOC 1, SOC2: What they are and why you should care
July 11, 2017 by Editorial Team (39posts) under HIPAA Compliant Hosting
Cloud computing has revolutionized the world of software licensing, but it has also opened the gates to new security risks. In the past, if a company wanted to add new software, it had to endure long installation processes on local servers. This gave companies the opportunity to verify the reliability of their systems, while local hosting gave them more control over their data. However, it was also immensely time-consuming and costly to set up and maintain.
Risks and Opportunities of Third Party Hosting – How SSAE 16, SSAE 18, SOC 1, and SOC 2 Help
Today, adding software to your organization can be as quick as logging into an online platform. It offers a major competitive advantage, especially when coupled with flexible payment plans. Engaging a service provider enables your organization to become more efficient in record time. There is no need to reinvent the wheel and create security protocols and software installation from scratch. You can be up and running within weeks or even days. Need to host an app? Find a cloud hosting provider who already has servers set up so that your team can focus on building the app and prepare it for launch.
However, hosting in the cloud means that you have limited control over your data and knowledge of its location. This lack of control can become a significant liability to your company, especially if the data in question belongs to your end users. In the event of a data breach committed by the provider, you will be the one held accountable to your end users. Therefore, ensuring the security, integrity, confidentiality, and privacy of your sensitive data should be of paramount importance.
Question of Reliability
If you are a company that chooses to store and process your end users’ personal or confidential information with a third-party provider, you have a list of concerns to address. It is your responsibility to verify that the third-party provider is dependable, their system is functional and has proper safeguards in place.
You may think that hosting your data locally seems to be the wiser choice. The reality is the cost of building a system that integrates a variety of functions, which is what most businesses need to remain operative, can be extremely high and a headache to maintain. (See our article How to Become HIPAA Compliant to assess the scope of creating a secure HIPAA hosting environment.) It makes more sense to outsource.
The key is to employ the services of a provider that is properly certified and meets the demand for confidentiality and privacy of information. This is what you’ll need to guarantee your users’ trust, especially if you are dealing with financial or health-related personal data. To obtain this assurance, you are entitled to require from the service provider a proof that it has proper controls in place, as verified by a third-party accounting firm. This proof comes in the form of SOC 1 and SOC 2 reports.
Finding the Right Kind of Provider
SOC (‘Service Organization Control’) reports were created by the AICPA in order to set compliance standards and keep pace with the rapid growth of cloud computing and businesses outsourcing their services to third-party providers.
Before AICPA drafted the SSAE 16 standards and the SOC reports, it had a single examination for Service Providers based upon Statements on Auditing Standards (SAS) 70. This standard was launched to ensure that third-party providers had the proper controls in place to prevent the service provider from having an errant material impact on its customer’s internal control over financial reporting (ICFR). With the development of cloud computing and an increase in the number of companies entrusting third-party providers with their customer data, a need emerged for a standard that expanded beyond financial controls to also include security and confidentiality of the entrusted data. To clarify the new set of standards and include new business practices, the AICPA replaced the SAS 70 report with the SOC framework.
What Is SSAE 16?
SSAE 16 stands for Statements on Standards for Attestation Engagements No. 16. Effective in mid-2011, this new auditing standard superseded the SAS 70 standard. According to AICPA, the SSAE 16 requires companies, like data centers, to provide a written report that describes any and all controls at organizations that provide services to customers when those controls are likely to be relevant to user entities internal control over financial reporting. In May of 2017, SSAE 16 was super-ceded by SSAE 18.
What Is SSAE 18?
In the Spring of 2016, the AICPA’s Auditing Standards Board (ASB) completed the clarity project, the result of which was the issuance of SSAE 18, “Concepts common to all Attestation Engagements”. As the SOC 1 is an attestation engagement, the SSAE 18 standard will apply to SOC 1’s and supersedes the SSAE 16 standard. The SSAE 18 standard will go into effect for reports dated after May 1, 2017. It is important to note that the SSAE 16 standard was specific to service organizations and the SSAE 18 is for all attestation engagements which essentially means that referring to a SOC 1 as an SSAE 16 examination will go away and will not be replaced by the term SSAE 18 examination but will be referred to simply as the SOC 1.
What Is SOC 1?
The SSAE 18 SOC 1, sometimes just stated as SOC 1, is the report you get when you are audited for SSAE 18. The SOC 1 Type 1 report focuses on a service provider’s processes and controls that could impact their client’s internal control over their financial reporting (ICFR). The examination helps ensure that both the system and personnel responsible for these controls at the third-party provider are doing their job in a manner that will not adversely affect their client’s ICFR. This report is key with respect to services such as payroll and taxation since when performed by a third-party provider, such services will have a direct impact on a client’s ICFR. For example, if you outsource payroll management to a provider that doesn’t have the proper controls in place, you risk payroll errors in your internal data. This will come with problematic consequences since, in the end, you will be held accountable for those errors.
What Is SOC 2?
The SOC 1 and SOC 2 reports come in two forms: Type I and Type II. Type I reports evaluating whether proper controls are in place at a specific point in time. Type II reports are done over a period of time to verify operational efficiency and effectiveness of the controls.