SAS 70, SSAE 16, SSA18 and SOC Comparison

The Complete Guide to SAS 70, SSAE 16, SSA18, and SOC Comparisons

What does SAS 70 stand for?

SAS 70 stands for Statement on Auditing Standards No. 70 and is classified as a particular standard of authority which was developed and designed by the American Institute of Certified Public Accountants (AICPA).

What does SSAE 16 stand for?

It was in 2011 that the Statement of Standards for Attestation Engagements No. 16 (SSAE 16), replaced SAS70 and became the new authoritative standard for service organization audits.

Accounting Services SOC Reports

What is SOC?

The American Institute of Certified Public Accountants introduced the new reporting framework for their practitioners, otherwise known as Service Organization Controls (SOC). This enabled practitioners to deliver alternative reporting types depending upon the individual requirements of their stakeholders and their organization.

SSAE16 offers three different reporting options, these are known as Soc1, Soc2, and Soc3 reports.


SOC1 reports deal with financial data.

SOC2 reports deal with non-financial data. For instance, it provides service providers in the data sector a simplified way to demonstrate their safeguarding controls and ensures that the information they hold is easily and readily accessible.

SOC 1 Explained

A SOC1 report is basically the same as a sas 70 report, with just a few minor differences.

It provides control internally over financial reporting and is restricted to User Entities and Auditor Entities. There are two different report types.

Type 1 – This outlines the management’s description of the system, along with its specific design and its ability to adhere to the multitude of control measures that are in place at a specific point in time.

Type 2 – This outlines the management’s description of the system, along with its specific design and its ability to adhere to the multitude of control measures that are in place over a defined time period.

What is SOC 2?

SOC2 report is said to be a superior report for service providers when compared side-by-side with SOC1. It reports on relevant controls in line with the trust principals and criteria. The framework for a SOC2 report is based on a range of criteria categories and trust principals.

Criteria Categories: Communications, Monitoring, Policies, and Procedures.

Principals: Confidentiality, Availability, Security, Privacy, and Processing Integrity.

In order for any organization to become SOC2 certified, they need to undergo a rigorous process of auditing that is carried out by an independent body. If a company is going to handle data that is classified under PHI or governed by any laws such as HIPAA, this is an essential requirement and proves that a company meets with specific compilatory requirements.

What is a SOC3 Report?

A SOC3 report provides a certification level for data centers and is usually for general use. It provides a level of assurance to users of high-availability, security at the facility, and the integrity of the data processing.

Although a SOC2 report is inclusive of service auditor testing and provides results, a SOC3 report will only provide a description of the system along with the opinion of the auditor.

Outsourcing & Security Measures

Everything you Need to Know about SAS70 Reports

SAS70 was first introduced in 1992 when the act of outsourcing was a new practice, and many organizations retained much of their data processing and IT internally. Despite the fact that there were limited tasks being outsourced at that point, there were concerns raised about the standards and practices of third-party agencies. Specifically, the issues raised were linked directly to how such processes could have impacted the yearly financials of the companies who were affected.

SAS70 served to help auditors who worked externally to a business, to organize assessments of their customer’s financial statements where third-party agencies were used for financial transaction reporting and processing services. SAS70 clarified the auditing needs and enabled the external auditor’s review and test the controls which were in place within these third-party agencies more quickly and more thoroughly.

As outsourcing became a more common occurrence, and more organizations depended on third-party agencies for essential business processes such as manufacturing, payroll, and order fulfilment services; and with the rise in popularity of technology-based innovations such as SaaS and other cloud services, SAS70 was continually being adapted and used for purposes to which it was not originally intended.

As a result of this, there became a need for a more robust framework and better standards of governance. The NIST 800 series and ISO 27000 were since developed in order to address the growing needs for security and assurance within service organizations.

SAS70 outlines the precise standards of which any service or independent auditor should employ to access the stated contractual controls that exist internally within a service organization. These controls also included those which relate specifically to IT and any other associated processes. The elected auditor would then outline the description of such controls in the format of a Service Audit Report.

The SAS70 compliance standards were initially purposed to simplify the criteria used for auditing standards that were initially in place through the SAS 55 standards.

SAS70 audits were essential to particular service organizations, some of which included insurance claims processors, hosted data centres, and credit processing organizations due to the fact that these businesses deliver outsourcing services which can impact the operations of their customers; and because of this, they need to verify their internal controls specifically around the subject of data management.  Since June 2015, SAS70 attestations were no longer issued.