The simple answer is that all these terms are inter linked in some way and are assurances over outsourced operations. In other words a SAS 70 report, SSAE 16 Soc 2 Type 2 Compliance auditor report etc give assurance to the user of the audit report that the internal controls at the service provider are effective if the report is unqualified.
With increased globalization, outsourcing seems to be the business mantra. Companies outsource systems, business processes and data processing. All outsourcing is done with an assumption that the operational risk at the service provider will be effectively managed and that the service provider is able to build a robust internal control framework.
In doing so, user organisation (the company that outsources the activities) needs to gain comfort that the data, processes, inputs and outputs at the service provider location are effectively handled and does not expose user organisation to any reputation or other risks.
Till recently, this was done using SAS 70 reports [Statement on Auditing Standards 70]. This gave organisation a broad comfort over the controls at service provider.
However, the biggest weakness of SAS 70 reporting was its main focus was on risks relating to internal control over financial reporting. But what about risks such as give below.
Do service providers have adequate controls and policies in place to address controls that are beyond Financial reporting related controls ie operational controls.This main gap resulted in SAS 70 been replaced by another set of reports called SOC reports.
Need for a CPA review/audit
As per AICPA website, “A CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers.”
For this purpose and to address varying requirement of the engagement, AICPA has introduced SERIVICE ORGANISATION CONTROL (SOC)Reports. There are three types of SOC reports and you guessed it right. SOC1,SOC2 and SOC3.
SSAE 16 has two types of reports.
The purpose of the SOC 2 Type 2 Certification and Report report is to provide an assurance or an opinion on the level of trust and assurance that user auditor and user organisation can derive from the system that the service organization has deployed that effectively mitigate operational and compliance risks.
SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are: