AICPA SSAE 16 Report Comparison – SOC 1 vs. SOC 2 vs. SOC 3

The American Institute of Certified Public Accountants (AICPA) recently developed a Service Organization Control (SOC) Toolkit for firms that perform SOC engagements and their clients. The toolkit was developed to help firms navigate this emerging service area and help clients, prospects and service organizations understand the benefits of SOC engagements. The toolkit includes a number […]

Top 5 Reasons to Get an SSAE 16 (f. SAS 70) Report

So, you have a current customer or client asking whether you have completed an SSAE 16 examination. Now you may have some basic questions such as the following: What is an SSAE 16 audit report? A Type II SSAE 16 report is an independent report on the design and operating effectiveness of key controls at […]

Deconstructing an SSAE 16/SOC 1 (formerly known as SAS 70) Audit Report

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?

SAS 70, SSAE 16, AT 101, SOC 1, 2, 3, SysTrust and WebTrust. Good Luck.

Recently, the AICPA has started referring to SSAE 16 reports as SOC 1 reports.  SOC stands for service organization control reports.  Not to be confused with SOX, which most know is an acronym for the Sarbanes-Oxley Act of 2002.  In any case, the AICPA is trying to simplify the many different types of reports service […]

Testing Exceptions

What are testing exceptions and what is their role in the SAS 70/SSAE 16 audit? Testing exceptions are simply deviations from the expected result from testing one or more control activities. Consider the following example: Control Objective: Controls provide reasonable assurance that statement processing is appropriately scheduled and that deviations in processing are identified and […]