It can be almost hard to believe just how much data is stored in the cloud (on someone else’s servers) these days. Organizations large and small have established an online presence and adopted a multitude of cloud-based solutions to gain greater operation agility, boost profitability, and improve their competitiveness.
Even organizations operating in industries where data privacy and security is of utmost importance, such as healthcare, have moved away from on-premises architectures and migrated to the cloud. Any healthcare organization that chooses to store and process users’ personal or confidential information with a third-party provider must be able to demonstrate that the provider operates in a HIPAA-compliant manner, which is where the SSAE 16 and SSAE 18 auditing standards for service organizations come in.
As if understanding the difference between SSAE 16 and SAE 18 wasn’t difficult enough, there are far more terms that are frequently abused and misunderstood in connection with these standards, including SAS 70, SOC 1 report, SOC 2 report, SOC 3 Report, Type 1 Report, and Type 2 Report. Let’s put an end to this confusion and explain everything from the beginning.
Aware of the need of service organizations and service providers to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers, the American Institute of Certified Public Accountants (AICPA), the national professional organization of Certified Public Accountants (CPAs) in the United States, issued a series of standards for reporting on the controls implemented by service organizations, known as SAS 70, in April 1992.
“For nearly 18 years, SAS 70 was the authoritative guidance that allowed service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format,” explains SAS70.com, the first and oldest internet resource fully dedicated to the SAS 70 auditing standard.
The era of SAS 70 effectively ended in January 2010 with the finalization of the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, by the AICPA. SSAE 16 became effective on June 15, 2011, and it focused on the internal controls over financial reporting (ICFR), having little to do with the services offered by HIPAA compliant web hosting providers and data centers in general.
In order to broaden the reporting scope of SSAE 16, the AICPA created the Service Organization Controls (SOC) reports as new options for organizations concerned about security, availability, processing integrity, confidentiality, and privacy:
- SOC 1 reports: Used only for the purpose of reporting on the system of internal controls relating to internal control over financial reporting.
- SOC 2 reports and SOC 3 reports: Focus on controls at a service organization relevant to the principles of security, availability, processing integrity, confidentiality, and privacy. The main difference between SOC 2 reports and SOC 3 reports is that the former type is shared under NDA while the latter type is available to anyone publicly.
Web hosting providers, managed service providers, Software as a Service (SaaS) companies, and cloud computing providers that used SAS 70 in the past now need a SOC 2 report.
As if to make everything more complicated, SOC 1 and SOC 2 reports can be a type I or a type II:
- Type I: Examines whether the service organization’s description of its system matches the service organization’s system that was designed and implemented as of a specific date. It also examines whether the controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives.
- Type II: In addition to everything included in Type I reports, a Type II report additionally examines whether the controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives.’
On May 1, 2017, the AICPA replaced SSAE 16 with a new standard, known as SSAE 18, or Statement on Standards for Attestation Engagements No. 18. Just like SAS 70 and SSAE 16 before it, SSAE 18 is not a certification. It’s an audit and attestation standard used to produce System and Organisation Controls (SOC) reports (SOC 1, SOC 2, and SOC 3).
“The SSAE 18 update brings in a couple significant differences than its predecessor, SSAE 16. Its main purpose is to clarify certain old standards and streamline and simplify the review process,” explains Colocation America, a HIPAA compliant colocation hosting provider. “The update to this standard will also demand companies take more control and responsibility of the people they work with, primarily third-party vendors.”
Under SSAE 18, a service organization, which defined as any entity that provides services to other organizations, should identify all sub-service organizations used in providing the services and describe any sub-service organization controls that the service organization relies on to provide the primary services to its customers. Other requirements include a risk assessment that highlights the organization’s key internal risks as well as the implementation of controls to monitor the effectiveness of relevant controls at the sub-service organization, among other things.
By having an SSAE 18 review performed, HIPAA-compliant web hosting providers and all other service organizations can keep their partners at ease by offering them concrete proof that they are conducting their business to their specifications.
Hopefully, you now understand the difference between SAS 70, SSAE 16, SSAE 18, SOC 1, SOC2, and SOC3. In a world where everyone stores data in the cloud, it’s important to have the means of objectively evaluating how different service providers handle, operate, and control data related to customers and financial reporting. Thanks to SSAE 18 and its predecessors, HIPAA-compliant web hosting providers and other service organizations can enjoy the peace of mind that the environment they’ve created is safe and secure.