<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

How the SSAE 18 Standard can help your organization

Does your organization use third party vendors? Many organizations today rely on a number of third parties to provide different services for them.  They may be hosting your servers and systems in a remote site or in the cloud.  Vendors may be handling and processing your data. You may have them providing monitoring or security operations services for them.  But how do you know how well these third parties are doing their job? Do they have controls in place to ensure they are securing their data, that their financial reporting is correct?  You, like others in most organizations, do not have the time or expertise to examine all your vendors yourself. And it would be difficult for vendors to handle all of their clients wanting to assess them.  There should be a better way and there is.  There is a series of reports that vendors can obtain on an annual basis that they can provide to their clients, or even potential clients, to help show they are doing things properly.  These reports are called SOC (System and Organization Controls) reports and are provided by CPA firms.

To understand these reports, it’s important to understand some of the underlying works they are based on.  The first is SSAE 18, which is the Statement on Standards for Attestation Engagements #18.  It was issued by the AICPA in April 2016, replacing the previous 2010 SSAE 16 standard. SSAE 18 went into effect in May 2017.  SSAE18 is an auditing standard that defines how attestations (basically assessments) of internal controls on financial reporting are conducted for “service organizations”, which is what these third party/vendor organizations are referred to.   This is reported in a SOC 1 report.

While SSAE 18 is a US standard, it does mirror the ISAE 3402 (International Standard on Assurance Engagements).

SOC 1 Reports:

A SOC 1 report is issued on an organization’s internal controls on financial reporting (ICFR).  This report helps you see if the service organization is handling their finances correctly.

There are two kinds of SOC 1 reports.

  • A SOC 1 Type 1 report is a snapshot of the organization’s controls on a given day.
  • A SOC 1 Type 2 report is a historical report of the controls over a period of time, at least 6 months.

SOC 2 and SOC 3 Reports:

Next are the SOC 2 and 3 reports. SOC 2 & 3 reports are issued on an organization’s controls over its system relating to security, availability, processing integrity, confidentiality, or privacy.  Such examinations follow standards set by SSAE 18 but use the Trust Service Criteria to evaluate the controls.  These reports are very useful if service organizations are providing IT services such as billing, IT services, cloud services, or remote hosting, among others.

Again, there are two kinds of SOC 2 reports.

  • A SOC 2 Type 1 report is a snapshot of the organization’s controls on a given day.
  • A SOC 2 Type 2 report is a historical report of the controls over a period of time, at least 6 months.

The SOC 2 report is intended for a limited audience – those within the service organization and their clients who understand the purposes and limitations of a SOC 2 report, whereas the SOC 3 report is a more general use report that covers the same topics intended for anyone.  SOC 3 reports don’t have different types.

As noted, many companies providing third party services to clients will often obtain SOC reports as it helps them sell their services to potential clients.  Many will even indicate on their websites that they are SOC compliant. At 24By7Security, we can assist you, in your role as a client or as a third party vendor, in preparing for a SOC 1/2/3 examination.

You can see a brief description of our services for SOC/ SSAE 18 compliance at https://24by7security.com/services/compliance/soc-ssae18/

Michael Brown
Michael Brown

Michael Brown is a Senior IT Professional and Manager at 24By7Security, Inc. He has a BS in Computer Science and a Master’s degree in Computer Science from Florida Atlantic University. He has been elected President of South Florida ISSA chapter for 2018-2019. Michael has a long list of professional certifications including Certified Information Systems Security Professional (CISSP), Healthcare Information Security and Privacy Practitioner (HCISPP) and Certified Information Systems Auditor (CISA). Subscribe to the 24By7Security blog to read Michael’s articles.

Comments are closed.

Top 10 tips to stay secure online while traveling this summer
Does your business need cyber insurance?
Subscribe to our Blog!