SSAE-16 and SOC-1 - Assessment of Controls for Financial Reporting

The Tip of the Night for February 26, 2019 discussed the SOC 2 Cloud Security Standard, the cloud security certification offered by AICPA, the American Institute of Certified Public Accountants. When considering whether or not to use a vendor to host data in the cloud, check to see if it has also completed an AICPA SSAE-16 examination performed by one of the Big Four accounting firms. A good vendor will have done both SOC 2 and SSAE-16 examinations. The SOC 1 reports that a SSAE-16 audit issues will review how the data center's controls affect their financial reporting. SSAE-16 stands for Statement on Standards for Attestation Engagements No. 16.


SOC 2 focuses on the security and privacy of data when it's stored and in transit. It checks the security, availability, processing integrity, confidentiality, and privacy of data. SSAE-16, and the SOC 1 Type 1 and Type 2 reports address the sufficiency of internal controls for the purposes of financial reporting.


SSAE-16 is the audit conducted before a SOC 1 report is issued which assesses how comprehensive a data center's controls are. After a first report giving an evaluation of the data center at a given point in time, and second SOC 1 report will be prepared that shows the condition of the data center's control system over time.