Key security terms to know
You’ll hear many terms when you’re discussing security and how to prove your company’s security:
- SSAE 16
- SSAE 18
- SOC 1
- SOC 2
What do these terms mean? How do they fit together? And how are they different?
First, the SSAE 16 and now the SSAE 18 standard, and SOC 1 and SOC 2 reports, are the current iterations of audit standards and reporting frameworks. These methods have evolved over the years to accurately reflect the nature of how companies do business, and to effectively assess the controls that companies have in place to manage their security.
What is the SSAE 16 audit?
In the 1990s, the American Institute of Certified Public Accountants (AICPA) guidelines offered an examination for service providers based on Statements on Auditing Standards (SAS) 70. The focus of these guides were to ensure that appropriate controls were in place at businesses that engaged service organizations to perform tasks that could have an impact on that business’s financial statements.
Since that time, the advent and the rapidly increasing prevalence of cloud computing, and the ability of companies to outsource their services to third-party providers, changed the landscape of service organization assessment.
The need for more comprehensive systems of assessment resulted in the development of the SSAE 16 audit (Statements on Standards for Attestation Engagements No. 16) as well as the SOC (System and Organization Controls) reporting framework.
The SSAE 16 was a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the AICPA, and it applied specifically to SOC 1 reports. A SOC 1 report documents an organization’s internal controls that are likely to be relevant to an audit of that organization’s financial statements.
The SSAE 16 audit and report process was issued in 2010 and was effective as of June 2011. Starting in May 2017 SSAE 18 supersedes SSAE 16. When it comes to SSAE 16 vs SSAE 18, there are some major differences you and your business need to be aware of.
Evolving standards: What is the difference between SSAE 16 vs SSAE 18
Changes from the SSAE 16 audit standard to the SSAE 18 require companies to take greater ownership of their own internal controls around. SSAE 16 vs. SSAE 18 controls were specifically around identification and classification of risk and to enact appropriate management of third-party vendor relationships.
Specifically, SSAE 18 requires identification of subservice or third-party organizations used to provide services. SSAE 18 also controls that those organizations employ to provide services to their customers.
When it comes to the differences between SSAE 16 vs. SSAE 18, an organization's ability to handle relevant controls is a major difference. An organization must implement controls to monitor, in turn, the relevant controls employed by third-party organizations. (Learn more about implementing a vendor management policy.)
Overall, the SSAE 18 standard includes enhancements intended to increase the usefulness and quality of SOC reports. SSAE 18 addresses different types of attestation reports, including and beyond the SOC 1, though a SOC 1 remains a typical report generated from an audit against the SSAE 18 standard.
Why change from SSAE 16 to SSAE 18?
Any change to your operations requires time and effort, so is it worth it to change from SSAE 16 to SSAE 18? In short, yes, there are multiple advantages to switching to SSAE 18.
In comparing SSAE 16 vs. SSAE 18, SSAE 18 is a more unified standard for international use. For organizations doing business overseas, SSAE 18 allows for reporting that is more widely recognized in different regions of the world.
SSAE 18 also simplifies certain sections of SSAE 16, especially the attestation sections. While it can take time to get used to the new scheme of SSAE 18 vs. SSAE 16, SSAE 18 is a more straightforward standard that will streamline reporting in the long run.
Proving security with SOC reports
Auditing and reporting against industry standards like SSAE 18 are key components of a holistic approach to compliance risk management. How can your company ensure that the providers with whom you do business are meeting your needs and regulators’ requirements for security, confidentiality, and information privacy?
Today, the best way to ensure that your service providers have appropriate security controls in place is to obtain assurances in the form of SOC 1 and SOC 2 reports. These two reports are the specific outputs of service organization audits by a third-party accounting firm.
Audited service providers are able to demonstrate that they are certified and in compliance with the level of data and information security a company requires from its providers. SOC 1 reports and their documentation of controls that are relevant to an audit of financial statements are one part of ensuring and maintaining your company’s holistic security and compliance ecosystem.
SOC 2 audits and reports are also an essential part of demonstrating your company’s security practices and evaluating vendors to ensure that their security is up to agreed-upon standards. The SOC 2 report structure is based on the five Trust Services Criteria of:
- Processing integrity
The Trust Services Criteria can help provide a framework for your company to develop a coherent and comprehensive security roadmap.
Vanta is your automated security and compliance expert. We can provide your company with powerful continuous monitoring software to maintain and monitor security across your business ecosystem.
With Vanta, your company’s security oversight processes are running in the background, across your company’s established policies and vendor relationships — ready to alert your team if anything is out of order.