“Keep It Simple” and Just Call Me SOC

March 6, 2017 Douglas Barbin


You have probably seen blog articles circulating about the "new change" to SSAE 18, including Schellman’s article in Accounting Today.  Yes, the new standard imposes some important but relatively minor changes; changes which guide us, the service auditors performing these assessments.  You may even see some adjustments to our approach in your next SOC examination. 

This is nothing new.  Standards bodies, be it the AICPA, PCI Standards Council, ISO accreditation bodies, or FedRAMP PMO, frequently issue different types of guidance to assessors.  These updates can be related to a new standard, pronouncement, clarification, guidance, or passed along via training modules.  Whenever a change requires testing modification, your auditor should be advising you on the impacts to you and your assessment, prior to commencement.  Other than that, it is largely business as usual.

You Don’t Want to Turn Back Time to SSAE 16  

Many companies were (and are) technically inaccurate by combining the SSAE 16 standards and SOC 2 reports.  I've seen countless references to SSAE 16 SOC 2 reports.  The SSAE 16 standard governs service auditors who perform examinations for SOC 1 reports.  SOC 2 reports are guided and prepared under the broader AT Section 101 attestation standards (which are going away in May).  Going forward, the nomenclature is simpler as all SOC reports are prepared under one attestation standard – SSAE 18.

Who Really Cares and Who is Affected?

SSAE 18 guides the service auditor, not your organization.  It could change again next year; however, what hasn’t changed is that your organization would still undergo an attestation.  If you received a Service Organization Control (SOC) report in prior years, you will still receive a SOC 1, SOC 2, or SOC 3 report, period.

My advice to you, as a CPA who spent several years in product marketing, is to avoid the overhype of the latest new term.  As Van Morrison says, “Well you got to keep it, keep it simple and that's that” - so just call it a SOC report, and let your auditors deal with the minutia.

About the Author

Douglas Barbin

Doug Barbin is managing principal (and co-owner) responsible for firmwide growth and service delivery including new services, sales, global expansion, technology partnerships, business development, marketing, and key client relationships. During his more than 11 years at Schellman, he has been privileged to work with many of the world's leading cloud computing, federal, FinTech, healthcare, AI, and security provider clients. Doug has more than 24 years’ experience, starting with a then Big 6 firm followed by a decade working in the cybersecurity and financial services industries. He maintains multiple CPA licenses, along with CISSP, CIPP, ISO 27001 Lead Auditor, and QSA certifications. He is very active in industry organizations and regularly speaks on commercial and government compliance and its application to cloud and other advanced technologies.

More Content by Douglas Barbin
Previous Article
The Wacky World of GRC
The Wacky World of GRC

Few areas of technology are as contradictory as governance, risk and compliance. A company might...

Next Article
Success with ISO 27001
Success with ISO 27001

The intent of achieving and maintaining compliance with ISO 27001 is for an organization to demo...


First Name
Error - something went wrong!