SSAE SOC 2&3 Compliance

SSAE SOC 2&3 Compliance


Service organizations that operate financial or accounting information systems or provide such system services to other entities are required to comply with the Service Organization Controls (SOC) reporting requirements. These requirements ensure service organizations have controls in place that protect financial data and meet user needs.

The Statement on Standards for Attestation Engagements (SSAE16) replaces the SAS70. The AICPA moved requirements for CPAs reporting on controls at service organizations to the attestation standards, and established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports) to replace SAS70.

Each type of SOC report is designed to help service organizations meet specific user needs. Unlike SOC1 engagements that test client-specific controls over financial reporting, SOC2 and SOC3 engagements are based on pre-defined control objectives established by the AICPA and CICA in the “Trust Services Principles and Criteria” (TSPC) framework. The TSPC are highly technical in nature and require significant information technology expertise to test.

Common Service Organization SOC reporting requirements relevant to the following:

  • Security: The system is protected logically and physically from unauthorized access
  • Availability: The system is available for service according to SLA's or contract
  • Processing Integrity: System processing is completed in a timely, accurate and authorized fashion
  • Confidentiality: Confidential information is protected according to SLA's or contract
  • Privacy: Personally Identifiable Information (PII) is used according to organizations privacy policy and is compliant with AICPA guidelines

Potential Risks

Publicly traded companies require their service providers or business process outsourcers (BPOs) to demonstrate compliance with SOC reporting requirements. Failure to demonstrate compliance can result in an inability of the organization to serve its customers. A breach of 3rd party customer data could result in increased liability based on the terms of the contract and additional fines and penalties if the dataset falls under regulatory requirements. It's also important to keep in mind the possibility of PR damage to your organization and loss of brand equity.

How We Can Help

Our qualified experts understand the impact SSAE SOC requirements have on your information systems' procedures. We will bring procedural expertise to your organization regarding these issues.

Failure to comply with relevant requirements can have a devastating impact on your organization. Don't take chances - let our experts help! CompliancePoint has a variety of services that you can leverage to meet your SOC 2 & 3 compliance needs.

Receive Updates, Alerts & Holiday Reminders