Super Team

SSAE 16 SOC 2 & 3


Effective June 2011, the SSAE16 (Statement on Standards for Attestation Engagements) replaced the SAS70. The AICPA moved requirements for CPAs reporting on controls at service organizations to the attestation standards, and established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports) to replace SAS70.

HEALTHINOVATION partners with CPA firms to assist their clients with these assessments.SSAE

If you are a CPA firm, you can position your firm as an expert. Communicate with current and prospective clients by providing information about SOC reports, and how your firm and HEALTHINOVATION can assist.

Unlike SOC1 engagements that test client-specific controls over financial reporting, SOC2 and SOC3 engagements are based on pre-defined control objectives established by the AICPA and CICA in the "Trust Services Principles and Criteria" (TSPC) framework. The TSPC are highly technical in nature and require significant information technology expertise to test.

When it comes to SOC2 and SOC3 Reports, partner with the experts at HEALTHINOVATION.

How These Changes Affect CPA Firms

 The SSAE16 now requires the service auditor to obtain a written assertion from the service organization's management about the fairness of the presentation of the description of its system and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls.

How These Changes Affect CPA Firms

 The SSAE16 now requires the service auditor to obtain a written assertion from the service organization's management about the fairness of the presentation of the description of its system and about the suitability of the design and, in a type 2 engagement, the operating effectiveness of the controls.

Non-ICFR Controls (i.e. ITGC Controls) are in AT-101 not SSAE16:

 Requirements for CPAs examining and issuing reports on controls over subject matter other than financial reporting are housed in AT section 101, of the attestation standards, not under SSAE16.

Service Organizations that need Security, Availability, Processing Integrity, Confidentiality, and Privacy assurance must obtain a SOC2 or SOC3 report instead of a SOC1 report which is the direct replacement for SAS70.

HEALTHINOVATION's SOC Reporting Services

 We can help your firm access revenue streams that may have previously been untapped.

By partnering with HEALTHINOVATION to provide SOC2 and SOC3 engagements, you'll work with our technical specialists who are Certified Information Systems Auditors (CISAs). They perform SOC2 and SOC3 engagements per AT101 requirements at the highest quality level.

We provide technical guidance so that your audit partners are comfortable with performing work paper reviews and ultimately signing the SOC report. Our specialists are also available to provide technical expertise and pre-sales support to help secure engagements.