The SSAE-16 SOC 1 report is considered to be the mark of a trustworthy technology service provider, but the reality is that every company’s SOC 1 report looks different.
While many providers offer a SOC 1 report, the SOC 1 framework itself does not have a common set of control objectives, meaning there’s no set criteria for what controls are required. I’ve seen SOC 1 reports with as few as 15 controls, and I’ve seen them with over 100 (we’re in the latter camp). While the number of controls is not directly indicative of a provider’s quality, it’s up to the report reader to consider the scope of the SOC report and ultimately decide whether the controls meet their own requirements.
As we develop new products and services, we always consider how they reinforce the existing controls in our SOC audit, and how we can make our audit even stronger. These aren’t just bullets on a PowerPoint presentation, they’re real improvements that we live and breathe.
It might surprise you to learn that the intended audience for a SOC 1 report is reviewers of financial statements.
Technology companies use the SOC 1 report because it’s a direct descendant of the SAS-70 standard, which it replaced. While the AICPA (the governing body responsible for the SAS-70 and SOC standards) would like technology providers to adopt the new SOC 2 framework, the industry has not warmed up to it just yet.
If you’re in the market for colocation, IT infrastructure, or managed services, please drop us a line and we’ll be happy to share our report as a reference as you evaluate providers. And as we kick off our audit engagement this spring, we’ll keep you updated right here as we reevaluate the SOC 2 standard.