AT Section 101 vs. SSAE 16 often comes up as a topic of conversation because they're both an important component of the AICPA Service Organization Control (SOC) reporting framework. Specifically, SSAE 16 is the professional standard used for SOC 1 reporting, while AT Section 101 is the professional standard used for SOC 2 and SOC 3 reporting. And AT Section 101 has only really gained considerable attention because of the AICPA SOC platform, which allows service organizations three reporting options to choose from - SOC 1, SOC 2, and SOC 3. With that said, take note of the following essential points regarding AT Section 101 vs. SSAE 16.
1. AT Section 101 and SOC 2 and SOC 3: As just stated, AT Section 101 is the professional standard used for SOC 2 and SOC 3 reporting. It's a relatively little-known standard, but has now been pushed into the spotlight thanks to the AICPA SOC reporting platform. Look at AT Section 101 as a standard that provides general provisions and guidelines for attesting to a specific subject matter.
2. SSAE 16 and SOC 1: As for SSAE 16, it's much more well-known than AT Section 101, due in large part that it effectively has replaced the two-decade old SAS 70 auditing standard. And though many in the accounting and auditing profession refer to it as simply "SSAE 16 reports", it's technically the professional standard used for issuing SOC 1 reports under the AICPA SOC reporting framework. And much like SAS 70, SSAE 16 has firmly planted itself as the global de facto reporting standard for service organizations, though the international standard (ISAE 3402) is just as viable in many regards.
3. The SOC 1 vs. SOC 2 Debate: SSAE 16 SOC 1 reports shot out of the gate quickly, replacing SAS 70, and have never looked back. SOC 2 reporting - which uses AT Section 101 - has seen a much slower adoption by service organizations and the accounting and auditing profession as a whole. Time will tell if this changes, but it's important to note that SOC 2 reporting is intended for the growing number of technology companies - data centers, software developers, managed service providers, software as a service (SaaS) entities, and more.
4. Why SOC 1 SSAE 16 Reports are Leading the Pack: A big part of the success of SOC 1 SSAE 16 over SOC 2 AT Section 101 reporting is that of familiarity. Specifically, everyone knew that the SSAE 16 standard was effectively replacing the well-known, long-standing SAS 70 auditing standard. As for SOC 2 AT Section 101 reporting, it was quite new – hence – adoption has been slow.
5. The Future of AT Section 101 vs. SSAE 16: SSAE 16 is full steam ahead – being used by many service organizations for reporting on their control environment. As for SOC 2 AT Section 101 reporting, time will tell if it becomes a viable reporting option, and every indication is that it definitely will.
Contact NDB today for a competitive, fixed fee for all your SOC 1 SSAE 16 and SOC 2 AT Section 101 needs. Please call Christopher G. Nickell, at 1-800-277-5415, ext. 706 or email him directly at firstname.lastname@example.org. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.