What is SSAE 18, SOC 1, SOC 2, SOC 3?
SSAE 18 (Statement on Standards for Attestation Engagements 18) is the audit and attestation standard for reporting on internal controls at service organisations. A service organisation is any entity providing services (for example, server hosting and colocation providers, software as a service companies, payroll processors, etc.) to another organisation. SSAE 18 became effective on 1st May 2017, replacing SSAE 16 and its predecessor SAS 70.
The SSAE 18 standard is used to produce System and Organisation Controls (SOC) reports. There are three types of attestation reports: SOC 1, SOC 2 and SOC 3. The SOC 1 report is for assessment IT processes at a service organisation relevant to the customer organisation’s financial reporting (usually for U.S. publicly held companies).
A SOC 2 assessment is of a service organisation’s general IT security controls across the environment based on the Five Trust Services Principles of Security, Availability, Processing, Integrity, Confidentiality and Privacy, but with no focus on financial reporting.
The SOC 3 report is a high-level overview of a service organisation’s IT security controls, simply stating whether the audited entity has achieved a level of compliance with the Trust Services or not.
SOC reports provide service organisation’s customers with assurance on the internal controls over the systems and services provided.
A SOC report is often requested by organisation’s seeking to outsource systems, services or operational activities to third party providers. The reports provide valuable information that helps organisations to evaluate the service organisation and to assess the risks associated with outsourcing.
Due to the detailed level of testing and evaluation involved in SSAE 18 SOC 1/SOC 2 audit, service organisations often rely on an experienced security professional to help them understand the IT areas that will be the most intensely scrutinised.
Working with a security expert helps your team gain a better understanding of the controls that will need to be implemented and/or strengthened to be ready for the SSAE 18 testing process.
At Sysnet Global Solutions, our security consultants have extensive experience in working with the SAS 70/SSAE 16/SSAE 18 regulations and testing.
While only an accredited Certified Public Accountant (CPA) company can perform the formal SSAE 18 audits, Sysnet’s expert consultants can help your organisation prepare for the SSAE 18 audit, the testing procedures and the evidence needed to be successful in the SSAE 18 audit.