SSAE 18 compliance standard governs the way organizations report on their various internal compliance controls for a service organization that may subcontract some of its services out to another provider.
SSAE 18 reports usually come in the form of a Service Organization Control (SOC) report, which provides the audit results of the risks associated with outsourced vendors.
Key difference between SOC 1, SOC 2 and SOC 3 Reports
SOC 1 | SOC 2 | SOC 3 |
---|---|---|
SOC 1 audit report tells whether a service organization has effective internal controls in place pertaining to financial reporting. | SOC 2 audit report comprises the assessment results related to internal controls around security, including data availability, confidentiality, privacy, and processing integrity. | The SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality |
This report is key consideration with respect to outsourced financial services such as payroll and taxation performed by a third-party provider | This report is required to gain assurance that the outsourced service provider has appropriate controls regarding information security | General use reports, specifically used for advertising and promotional purposes |
This can be of Type 1 or Type 2. Type I reports evaluating whether proper controls are in place at a specific point in time. Type II reports are done over a period of time, which is typically six months to verify operational efficiency and effectiveness of the controls. | This can be of Type 1 or Type 2. Type I reports evaluating whether proper controls are in place at a specific point in time. Type II reports are done over a period of time, which is typically six months to verify operational efficiency and effectiveness of the controls. | This is only of one type |
Audience for this report is restricted | Audience for this report is restricted | Audience for this report is not restricted |
Become ISO 31000 – Enterprise Risk Management for the Professional today!!