Skip Ribbon Commands
Skip to main content
Home > Services > Audit and Compliance > SSAE 16 SOC 2 Pre Audit or CPA Assistance


SSAE 16 SOC 1, SOC 2, and SOC 3 Assistance / Gap Assessment / Pre-Audit


In years past, an audit formerly known as SAS 70 was performed. As of June 15, 2011, SAS 70 has since been replaced with Statements on Standards for Attestation Engagements No. 16 (SSAE 16, SOC1) and the Attestation Engagement 101 (AT 101, SOC2). The main difference between the old SAS 70 and the new SSAE 16 (SOC1)/ AT 101(SOC2) engagements is that it requires the auditor to obtain written assertion from executive management regarding the design and operating effectiveness of the internal controls being examined, and also prevents the misuse of Service Organizational Controls outside of financial statements and reporting. Originally, the SAS 70 framework was to be used to report only on the controls centered on financial reporting and statements; however, in later years it was also being used to assess operational IT and security controls. The AICPA recognized this and created the SSAE 16 to prevent the misuse of the SAS 70 controls and drafted the AT 101 to fulfill the need to assess IT and Security Organizational Controls. The AICPA created three different assessments called Service Organization Controls or SOC and then created the three different types of Service Organization Controls (SOC) reporting options:

  • The SOC 1 report (SSAE16) closely resembles the older SAS 70 controls
  • The SOC 2 report (AT 101) uses the Trust Services Criteria related to Security, Availability, Process Integrity, Confidentiality, and Privacy.
  • The SOC 3 (AT 101) uses the same criteria as the SOC2 report; however, it can be used as a more general report that can be given freely, as opposed to the SOC2 report that contains more details that may be more sensitive in nature


  • Complies with SOC 1, SOC 2, and SOC 3 auditing standard
  • Provides better insight/view into control requirements
  • Eliminates any potential, unfavorable surprises during the Audit
  • Demonstrates commitment to protect consumer information


SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of your organization. SecureState has assisted a number of CPA firms in performing formal SSAE 16 SOC 1, SOC 2, and SOC 3 audits and as such understands the level of effort and control requirements necessary to pass a formal audit.

Did You Know?

  • If your company provides services to publicly-traded companies registered with the Securities and Exchange Commission, you may need to perform an SSAE 16 Assessment for financial reporting.
  • The focus of an SSAE 16 includes the procedures, people, software, data, and infrastructure of the organization.
  • SSAE 16 does not significantly overhaul the process of reporting on controls at a service organization. The standard instead provides a framework that aligns with ISAE 3402 International standard.

Our Approach and Methodology

With the number of breaches on the rise in today's marketplace, it’s important that organizations ensure that their 3rd party service providers are maintaining a level of security and privacy with regards to their customer information. One way to do this is to only use service providers that have had an unbiased 3rd party audit performed which examines, documents, and tests internal controls within the service provider organization.

SecureState’s approach to an SSAE 16/AT 101 SOC 1, SOC 2, and SOC 3 Gap Assessment/Pre-Audit maps out critical information processes and determines if regulatory controls have an impact on the business. SecureState can provide assistance as well as perform a Gap Assessment on the 3 new auditing standards. The goals are to ensure that there are no surprises during the formal audit; as well as:

  • Efficiently execute your SSAE 16/AT 101 program
  • Determine what Reporting requirements are appropriate for your organization i.e. SOC1, SOC2 and/or SOC3.
  • Help build/determine the appropriate controls for your SOC1 engagement, or help interpret the Trust Services Criteria control requirements for SOC2 /SOC3 and get answers for you quickly
  • Remediation cost-justification

The stages of our SSAE 16/AT 101 Gap Assessment/Pre-Audit, with limited descriptions, are as follows:

Pre-Onsite Visit:

  • Introduce engagement participants and define roles
  • Review engagement activities
  • Review any applicable documentation

Process Mapping:

  • Document the high level business process and supporting technologies
  • Perform data flow analysis and map processes to technical infrastructure

Requirements Analysis:

  • Document the existing controls
  • Identify gaps against the appropriate reporting requirements


  • On-site interview and information gathering to assess SOC 1, SOC2, and/or SOC3 status
  • Outline strategic recommendations to mitigate identified control gaps
  • Upload remediation activities to “MyState Portal”

What Makes Us Different


  • Provides comprehensive on-demand security expertise during the engagement and throughout the year
  • Provides technical security expertise that is not typically provided by CPA firms
  • Has strong partnerships with CPA firms performing SOC 1, SOC 2, and SOC 3 audits
  • Maintains close relationships with our clients because we care about the outcome of the assessment

Related Blog Posts