Why SOC 1 / SSAE 16 is overused

December 12, 2014 |

Why are cloud service providers and data centers spending tens of thousands of dollars on a SOC 1 / SSAE 16 (SSAE 16) audit report that does not address their client’s real requirements? If these audit reports don’t address client requirements then why do clients continue to request a SSAE 16? The short answer is a check the box approach to assurance that rewards form over substance. There are instances when SSAE 16 is the right reporting vehicle, however; there are too many misconceptions in the industry for all service organizations and their client’s to blindly default to SSAE 16. Risks and demands of service providers (particularly cloud service providers) have evolved since the origins of the SSAE 16 predecessor—SAS 70—established decades ago.

I like to think of these misconceptions parallel to a common misconception that bulls hate the color red. Bulls are colorblind and react to motions of the bull fighter’s cloth as a perceived threat. Don’t let the industry fool you into believing that SSAE 16 addresses your risk and compliance concerns. Remember, substance over form will lead to a more sustainable solution.

Let’s discuss the current reporting methods used by many of today’s businesses and examine the alternatives.


SOC 1: A Brief History

SSAE 16 reporting evolved from the legacy SAS 70 created in 1992 but has roots tied to statements on auditing procedures (SAP No. 29) issued in 1958 for reviews of internal control over financial reporting. In 2011, the International Auditing and Assurance Standards Board (IAASB) and the Auditing Standards Board (ASB) issued new standards for evaluating and reporting on internal controls at service organizations. This measure was designed to create global consistency for reporting while calling for a variety of new requirements, including a written assertion by management and a more comprehensive system description.

Again, these changes sought to create consistency while providing a comprehensive reporting solution for service organizations and their user entities. Specifically, when those controls are likely to be relevant to the user entities’ internal controls over financial reporting.

The Problem With SSAE 16

Organizations who use cloud service providers, other tech companies, and SaaS solutions have more complex requirements than other businesses. SSAE 16 reports typically do not address uptime requirements, disaster recovery, confidentiality, and very basic security controls or monitoring controls such as vulnerability scanning and penetration testing. These controls are not typically relevant to financial reporting.

Unfortunately, many vendor compliance checklists haven’t caught up to recent technology developments and default to SSAE 16 without consideration for why or the related risks. These checklists put more stock into the history of SSAE 16 reports (and, by extension, SAS 70 reports) than into the needs of today’s advanced businesses.

SOC 2 and SOC 3 reports, on the other hand, are more likely relevant to the users of cloud service providers – except those who use the cloud primarily for supporting financial reporting. These reports have standard reporting formats that address aforementioned issues like uptime requirements, disaster recovery, confidentiality, and security and monitoring controls. In fact, it is only a matter of time before vendor compliance checklists are updated to include SOC 2 or SOC 3. More importantly, it is only a matter of time before vendor compliance programs will address the real risks that more accurately align with the ever-evolving business world. Will your service organization be prepared?

What’s Best For Your Organization?

With the rise of cloud service providers, SSAE 16 reporting may not be right for your organization. Consider your client compliance demands and the risks to achieving those commitments, and then tailor your reporting to address these risks.

One final note: SOC 2 or SOC 3 reporting may not be enough on its own. The good news is that most businesses tend to find significant overlap with these reports and SSAE 16 reports, so running multiple reports may not be as much of a burden as you think. BARR has established a unified compliance approach. Unified compliance begins with your risks and backs into a harmonized control set. The result is more efficient operations that more effectively report on compliance (e.g., SSAE 16, SOC 2/3, HIPAA, PCI, NIST 800-53, ISO 27001, etc.).

Are you unsure if SSAE 16 reporting is the right solution for your organization? Tell us about it in the comment section. If you’re still looking for the right reporting solution, call BARR today to learn how you can establish your organization as a leader in the industry.

Let's Talk