There is no such thing as a SOC or SSAE 16 (known as SOC 1, which is the marketing name for the standard) certification. It is not a huge deal to refer to it as a certification, but technically speaking, SSAE 16 is an attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), and SOC 2 uses the attestation standard Section 101 of the AICPA Codification Standards (AT Section 101). Auditors use these standards to perform an attest engagement for a service organization. This results in the issuance of a service auditor’s report on controls, not a certification. There is no designation, award, certification, confirmation or any other type of special validation for the completion of a SOC 1 or SOC 2 examination.
When asked how to refer to this type of examination, we at Linford & Company generally say that a service organization can say they underwent an examination or an audit and were issued a SOC report as a result of the examination. A service organization can expand on this to also say they were issued an unqualified opinion (if in fact it was unqualified, which most of them are). There are now also approved logos that service organizations can put on their websites to show they completed a SOC examination, but that is the extent of what is available outside of the report issued by the auditor.
So while it is not a big deal to refer to these examinations as certifications, and we hear that a lot, it is always good to know the facts about what you are getting.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.