Reckenen provides SOC1(SSAE 16), SOC 2(AT 101) and SOC3(SysTrust) examinations as well as SOC Readiness services to service organizations.
The three Service Organization Control reports may be summarized as follows:
- SOC1/SSAE 16 (formerly SAS 70): SOC 1 reports, prepared in accordance with Statement for Attestation Engagements No. 16 (SSAE 16) standard, address service organization’s controls that are relevant to a user organization’s internal control over financial reporting. SOC1 examinations typically cover business process and IT general controls of a service organization. SOC 1 reports are, essentially, a means for auditor to auditor communication but service organization also use them as a means for provider to customer communication.
- SOC 2/AT 101: SOC 2 reports are based on controls related to joint AICPA and Canadian Institute of Chartered Accountant’s trust services principle and criteria around security, availability, process integrity, privacy and confidentiality. Management of a service organization can choose to be examined on one of more of the five(5) above mentioned trust services criteria. SOC2 reports can only be distributed to current customers of service organizations.
- SOC3/Systrust/Webtrust: SOC 3 reports are based on joint AICPA and Canadian Institute of Chartered Accountant’s trust services principle and criteria and are available for general use and distribution. SOC 3 reports can be freely distributed or posted on a website as a SysTrust seal.
Resources and White Papers:
- SSAE 16 & SAS 70
Why SSAE 16 (SAS 70) is necessary for service organizations