SSAE 18 requires a description of the system at service organizations. Service organizations are now required to effectively choose between SSAE 18(SOC 1, SOC 2 and SOC 3).

SOC 1:

SSAE 18(SOC 1) audit fully supports the objective of continued growth, client confidence, and the ability to serve a broader range of clients, with a proven and very strong return on investment (ROI).

Both SSAE 18 (SOC 1) Type 1 and SSAE 18 (SOC 1) Type 2 reports can be issued depending on the specific requirements and objectives of the service organization. Both report types add value and credibility to a service organizations core activities with the following differences:

  1. Type 1 is a report on policies and procedures placed in operation as of a specified point in time.
  2. Type 2 is a report on policies and procedures placed in operation and tests of operating effectiveness for a period of time.

SOC 2:

Service Organizations providing services that do not impact their client’s financial reporting, the audit reports will be considered SOC 2 or SOC 3 reports and focus on controls at a service organization relevant to the following Trust Services principles of Security, Availability, Processing Integrity, Confidentiality, Privacy.

SOC 2 reports are restricted use reports to:

  1. Management of the service organization (the company who has the SOC 2 performed)
  2. User entities of the service organization (customers, regulators, business partners, suppliers, etc.)

SOC 2 reports are also of two types: Type 1 and Type 2 and interpretation is same as mentioned in SOC 1.

SOC 3:

Unlike a SOC 2 report (which is a restricted use report), SOC 3 reports are general use reports, which means upon attainment of an unqualified report, they can be freely distributed or posted on a website as a seal for one full calendar year from the date of issue.