Statement on Standards for Attestation Engagements No. 16, also known as SSAE 16, replaced SAS 70 a few years back. This standard is designed to provide assurance that third-party service organizations have effective internal controls related to the services they are providing. Outsourcing a service doesn’t absolve an organization of its risk management duties.
SSAE 16 covers three types of service organization control (SOC) reports to help entities evaluate weaknesses in their internal control program. SOC 1 deals primarily with financial reporting. SOC 2 and SOC 3 focus on security, processing integrity and privacy principles at the service organization—key areas of concern for any financial institution.