Recently, the AICPA has started referring to SSAE 16 reports as SOC 1 reports. SOC stands for service organization control reports. Not to be confused with SOX, which most know is an acronym for the Sarbanes-Oxley Act of 2002. In any case, the AICPA is trying to simplify the many different types of reports service organizations can receive by using the terms SOC 1, 2, and 3 in addition to the technical names of SSAE 16, AT 101, and SysTrust/WebTrust. In actuality though, this is just causing confusion in the marketplace. Anecdotally, we have observed that over 98% of all service organization reports are SAS 70, soon to be SSAE 16/SOC 1 reports. SOC 2 and 3 reports are in fact AT 101 reports based on SysTrust and WebTrust criteria, which have been around for 10 plus years, though few CPAs and almost no one else has ever heard of an AT 101 report before let alone SysTrust/WebTrust. Bewildered? Well, that’s because it is bewildering and even most CPAs that specialize in this area will be hard pressed to explain this clearly.
To sort this out and avoid muddying the waters any further, SSAE 16 reports (ie, SOC 1) are the reports service organizations should consider first, when evaluating which type of report to receive.
In some limited number of cases, it would be incorrect for a service organization (eg, a Help Desk Management SaaS provider) to receive a SSAE 16 report. They probably should receive a SOC 2 or 3 report. Why? Help desk activities are not likely to play a role in financial reporting, which is a requirement for an SSAE 16 report. The reality is that the marketplace only understands one report for service organizations and it is not SOC 2 or 3, or SysTrust, WebTrust, or even SOC 1 or SSAE 16. It understands SAS 70, but unfortunately that known brand is going away and being replaced by something that currently is not well known. For now, just think SAS 70 = SSAE 16 = SOC 1 and you will be right 98% of the time.