Are SOC 1/SSAE 16s and SOC 2s Certifications?

There is no such thing as a SOC or SSAE 16 (known as SOC 1, which is the marketing name for the standard) certification. It is not a huge deal to refer to it as a certification, but technically speaking, SSAE 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), and SOC 2 uses the attestation standard Section 101 of the AICPA Codification Standards (AT Section 101). Auditors use these standards to perform an attest engagement for a service organization. This results in the issuance of a service auditor’s report on controls, not a certification. There is no designation, award, certification, confirmation or any other type of special validation for the completion of a SOC 1 or SOC 2 examination.

 

When asked how to refer to this type of examination, we at Linford & Company generally say that a service organization can say they underwent an examination or an audit and were issued a SOC report as a result of the examination. A service organization can expand on this to also say they were issued an unqualified opinion (if in fact it was unqualified, which most of them are). There are now also approved logos that service organizations can put on their websites to show they completed a SOC examination, but that is the extent of what is available outside of the report issued by the auditor.

 

So while it is not a big deal to refer to these examinations as certifications, and we hear that a lot, it is always good to know the facts about what you are getting.

Leave a Reply

Your email address will not be published. Required fields are marked *