When referring to SSAE16 or SOC 1, what is the difference and how do you use these acronyms appropriately?
Simply put, the SSAE No. 16 standard is the attestation standard used to create a SOC 1 branded report.
There are several SSAEs (Statements on Standards for Attestation Engagements) for various types of reports, number 16 happens to be the one that applies and is used to perform an attestation on a service organization controls likely to impact their customers’ internal controls over financial reporting. The terms are often times used interchangeably because of their relationship; but they are different.
When referring to the ‘audit’, there is no single right way to do it; however, probably the most technically accurate phrase would be ‘SSAE 16 examination’. When referring to the report, ‘SOC 1 report’ should be used.
Do you have more questions about SOC 1? Register for the Free SOC 1 Overview Webinar
About the Author
Ryan Mackie is a Principal and ISO Certification Services Practice Director at Schellman & Company, LLC. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 18 years of experience. Ryan also is an active member of the CSA and site on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.More Content by Ryan Mackie