Key security terms to know
You’ll hear many terms when you’re discussing security and how to prove your company’s security: SSAE 16 and SSAE 18, SOC 1, and SOC 2. What do these terms mean? How do they fit together?
First, the SSAE 16 and now the SSAE 18 standard, and SOC 1 and SOC 2 reports, are the current iterations of audit standards and reporting frameworks that have evolved over the years to accurately reflect the nature of how companies do business, and to effectively assess the controls that companies have in place to manage their security.
Origin of the SSAE 16 audit
In the 1990s, the American Institute of Certified Public Accountants (AICPA) guidelines offered an examination for service providers based on Statements on Auditing Standards (SAS) 70 — the focus of which was ensuring that appropriate controls were in place at businesses that engaged service organizations to perform tasks that could have an impact on that business’s financial statements. Since that time, the advent and the rapidly increasing prevalence of cloud computing, and the ability of companies to outsource their services to third-party providers, changed the landscape of service organization assessment.
The need for more comprehensive systems of assessment resulted in the development of the SSAE 16 audit (Statements on Standards for Attestation Engagements No. 16) as well as the SOC (System and Organization Controls) reporting framework. The SSAE 16 was a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the AICPA, and it applied specifically to SOC 1 reports. A SOC 1 report documents an organization’s internal controls that are likely to be relevant to an audit of that organization’s financial statements.
The SSAE 16 audit and report process was issued in 2010 and was effective as of June 2011. The SSAE 18 standard, effective as of May 2017, supersedes SSAE 16.
Evolving standards: From the SSAE 16 to SSAE 18
Changes from the SSAE 16 audit standard to the SSAE 18 require companies to take greater ownership of their own internal controls around the identification and classification of risk and to enact appropriate management of third-party vendor relationships. Specifically, SSAE 18 requires identification of subservice or third-party organizations used to provide services, as well as the controls that those organizations employ to provide services to their customers. SSAE 18 also requires an organization to implement controls to monitor, in turn, the relevant controls employed by third-party organizations. (Learn more about implementing a vendor management policy.)
Overall, the SSAE 18 standard includes enhancements intended to increase the usefulness and quality of SOC reports. SSAE 18 addresses different types of attestation reports, including and beyond the SOC 1, though a SOC 1 remains a typical report generated from an audit against the SSAE 18 standard.
Proving security with SOC reports
Auditing and reporting against industry standards like SSAE 18 are key components of a holistic approach to compliance risk management. How can your company ensure that the providers with whom you do business are meeting your needs and regulators’ requirements for security, confidentiality, and information privacy? Today, the best way to ensure that your service providers have appropriate security controls in place is to obtain assurances in the form of SOC 1 and SOC 2 reports — the specific outputs of service organization audits by a third-party accounting firm. Audited service providers are able to demonstrate that they are certified and in compliance with the level of data and information security a company requires from its providers.
SOC 1 reports and their documentation of controls that are relevant to an audit of financial statements are one part of ensuring and maintaining your company’s holistic security and compliance ecosystem. SOC 2 audits and reports are also an essential part of demonstrating your company’s security practices and evaluating vendors to ensure that their security is up to agreed-upon standards. The SOC 2 report structure — based on the five Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy — can help provide a framework for your company to develop a coherent and comprehensive security roadmap.
Vanta is your automated security and compliance expert — providing your company with powerful continuous monitoring software to maintain and monitor security across your business ecosystem. With Vanta, your company’s security oversight processes are running in the background, across your company’s established policies and vendor relationships — ready to alert your team if anything is out of order.