SSAE 18 SOC 1 and SOC 2 Attestations
Our team of CISA/DISA help our clients get SSAE 18 compliant. We can support you in both SSAE 18 SOC 1 and SOC 2 Attestations.
Service Organization Control (SOC) reports are governed by SSAE 18 issued by AICPA. The SOC reports provide customers of outsourced services comfort that the vendors has all the required controls in place to keep their data secured and has the right controls so that there are no adverse impact on their financial statements.
Further, the report also gives comfort to the auditor of the outsourcing entity that the vendor has an effective control environment. This eliminate the need for the auditor to audit the vendor every year.
SOC Reports are applicable if the outsourcing entity is a US entity covered by Sarbanes-Oxley Act (SOX). There are the following types of attestation reports:-
- SOC 1 is applicable if a business process is outsourced and transactions are being processed by the vendor. If these transactions have an impact on Financial Reporting of the outsourcing entity then the SOC 1 will be a requirement. There are two types of reports:-
- Type 1 – This report provides attestation about the design of controls implemented by the service entity.
- Type 2 – This report provides attestation about the operating effectiveness of the controls implemented y the service entity.
- SOC 2 is applicable if any IT service is outsourced. As a result anyone providing IT services, Software as a Service (SaaS), Platform as a Service (PaaS), or Application Platform as a Service (aPaaS) or Data Center services are required to provide this attestation service.
SSAE 18 provides five trust principles that can be covered by these reports. The trust principles are – security, availability, processing integrity, confidentiality, and privacy. There are two types of reports:-
- Type 1 – This report provides attestation about the design of controls implemented by the service entity.
- Type 2 – This report provides attestation about the operating effectiveness of the controls implemented y the service entity.
- SOC 3 reports is a condensed version of SOC 2 reports and don’t provide as much details as a SOC 2 report does.
Knowledge Pool
Access to 100 plus professional experts and advisers across Indian and overseas
Meet out team