Importance of Security Certifications SSAE-16 and SOC for Cloud Providers

The Cloud has gone from buzzword to a business reality that several enterprises are evaluating on an ongoing basis. According to a study from consulting firm Emergent Research and financial software company Intuit, the percentage of U.S. small businesses using cloud computing is expected to more than double by 2020, from 37% in 2014 to 78% by 2020.

It may be just a matter of time, until your enterprise has to evaluate whether or not to make a shift to the Cloud. Whether it’s for contract management or for another field, security certifications SSAE-16 and SOC (Service Organizational Control) are essential to determine the data security and availability of a vendor.

Background of SSAE-16 and SOC

Businesses of all sizes have legitimate concerns about the data security and availability that cloud vendors can provide. In response to this uncertainty, the American Institute of Certified Public Accountants (AICPA) developed a system for assessing the financial and operational security of service organizations, including those providing cloud computing and SaaS services.

Formerly known as “SAS 70 reports” (SAS 70 is short for Statement on Auditing Standards No. 70), the SSAE-16 and SOC certifications are used by independent auditors to examine financial controls and internal procedures for data security, availability, processing integrity, and privacy.

Data centers, colocations and managed service providers (also known as data centers) that host systems relevant to their customers’ financial reporting are responsible for certain controls over those systems, such as physical and environmental security, using the applicable guidelines from SSAE-16 and SOC standards.

Use Credentials to Evaluate Vendors

New cloud-based services seem to be popping everywhere these days. This is why it’s important to check whether or not a cloud vendor has passed the rigorous security audits from SSAE-16 and SOC standards.

The AICPA points out that these standards were updated from the previous SAS-70 reports to meet the audit requirements of the the cloud computing industry:

“The increasing use of cloud computing companies (which provide user entities with on- demand network access to a shared pool of computing resources, such as networks, (servers, storage, applications, and services) has created an increasing demand for CPAs to report on nonfinancial reporting controls implemented by cloud computing service providers.”

The results from a SSAE-15 or SOC audit can reveal whether or not a company can be trusted to provide secure, reliable outsourced technology. Keep in mind that companies that already completed a SAS-70 audit may decide to wait a while until pursuing additional audits, it all depends on applicable regulations and jurisdictions.

Understanding Levels of SOC Certification

Just like there were was Type I and Type II audits under SAS-70, SOC provides three designations for the three engagements included in the SOC report series and the source of the guidance for performing and reporting on them:

  • SOC-1: Leverages the guidelines set forth by SSAE-16 to report on organizations   that provide services to user entities [i.e., customers] when those controls are likely to be relevant to user entities internal control over financial reporting.
  • SOC-2: While it also uses the SSAE-16 guidelines, a SOC-2 audit also reports on controls related to compliance with one or more the Trust Services Principles (i.e., security, availability, processing integrity, confidentiality and privacy). This makes SOC-2 the most sought audit by cloud service providers.
  • SOC-3: At first look a SOC-3 report delivers the same information as a SOC-2 report. However, two key differences are that a SOC-3 audit is written for a less technical audience and contains less details.  While a SOC-2 report is used internally, a SOC-3 report can be shared publicly and is often posted at a company’s website.

Companies that successfully complete a SOC-3 audit meet the most astringent type of audit available within the industry.


When used properly, the Cloud is a great tool that can lower your cost of ownership and streamline your operations. To perform a proper analysis of cloud vendors, the SAE-16 and SOC seals of compliance provide reassurance. By looking for these certifications and reports, you’ll be able to properly asses companies and make a more informed decision.

Image Credit: David Goehring