Importance of Security Certifications SSAE-16 and SOC for Cloud Providers

With over 80% of enterprise workloads expected to be in the cloud by 2020, it’s no surprise that security continues to be a top of mind issue for organizations of all types.   Whether you are still in the evaluation phase or if you’ve already made the shift to the cloud for your contract management software or for another application, security certifications SSAE-16 and SOC (Service Organizational Control) are essential to determine the data security and availability of a vendor.

Editor’s Note: To learn more, download our whitepaper on the top 10 contract management best practices.

Background of SSAE-16 and SOC

Businesses of all sizes have legitimate concerns about the data security and availability that cloud vendors can provide. In response to this uncertainty, the American Institute of Certified Public Accountants (AICPA) developed a system for assessing the financial and operational security of service organizations, including those providing cloud computing and SaaS services.

Formerly known as “SAS 70 reports” (SAS 70 is short for Statement on Auditing Standards No. 70), the SSAE-16 and SOC certifications are used by independent auditors to examine financial controls and internal procedures for data security, availability, processing integrity, and privacy.

Data centers, colocations, and managed service providers (also known as data centers) that host systems relevant to their customers’ financial reporting are responsible for certain controls over those systems, such as physical and environmental security, using the applicable guidelines from SSAE-16 and SOC standards.

Use Credentials to Evaluate Vendors

New cloud-based services seem to be popping up everywhere these days. Therefore, it’s important to check whether a cloud vendor has passed the rigorous security audits from SSAE-16 and SOC standards.

The AICPA points out that these standards were updated from the previous SAS-70 reports to meet the audit requirements of the cloud computing industry:

“The increasing use of cloud computing companies (which provide user entities with on- demand network access to a shared pool of computing resources, such as networks, (servers, storage, applications, and services) has created an increasing demand for CPAs to report on nonfinancial reporting controls implemented by cloud computing service providers.”

The results from a SSAE-15 or SOC audit can reveal whether a company can be trusted to provide secure, reliable outsourced technology. Keep in mind that companies that already completed a SAS-70 audit may decide to wait a while until pursuing additional audits, it all depends on applicable regulations and jurisdictions.

Understanding Levels of SOC Certification

Just like there were was Type I and Type II audits under SAS-70, SOC provides three designations for the three engagements included in the SOC report series and the source of the guidance for performing and reporting on them:

  • SOC-1: Leverages the guidelines set forth by SSAE-16 to report on organizations  that provide services to user entities [i.e., customers] when those controls are likely to be relevant to user entities internal control over financial reporting.
  • SOC-2: While it also uses the SSAE-16 guidelines, a SOC-2 audit also reports on controls related to compliance with one or more the Trust Services Principles (i.e., security, availability, processing integrity, confidentiality and privacy). This makes SOC-2 the most sought audit by cloud service providers.
  • SOC-3: A SOC-3 report is similar to a SOC-2 report. However, two key differences are that a SOC-3 audit is written for a less technical audience and contains less details.  While a SOC-2 report is used internally, a SOC-3 report can be shared publicly and is often posted at a company’s website.


When used properly, the cloud is a great tool that can lower your cost of ownership and streamline your operations. To perform a proper analysis of cloud vendors, the SAE-16 and SOC seals of compliance provide reassurance. By looking for these certifications and reports, you’ll be able to properly assess companies and make a more informed decision.