SSAE 16 (SOC 1, SOC 2, SOC3) Overview
Organizations that offer services (IT and /or BPO) to highly regulated industries, such as banking, insurance, healthcare and manufacturing, are often required by their clients to provide assurance of their control procedures.
Many organizations are engaging third party specialists, like PRINCETON AUDIT GROUP, to perform SSAE 16 (SOC 1, SOC 2, SOC3) audit engagements to assess the effectiveness of their organizations’ policies, processes and procedures. SSAE 16 (SOC 1, SOC 2, SOC 3) report process is well recognized within the industry.
Statement on Auditing Standards No. 70 (SSAE 16 (SOC 1, SOC 2, SOC3)) was developed by the AICPA (American Institute of Certified Public Accountants) to signify that a Service Organization (Vendors) has been through an in-depth audit of their control processes by Independent Auditors. SSAE 16 (SOC 1, SOC 2, SOC3) Certification is objective with specific emphasis on IT Controls as they relate to client services and financial reporting. This report is the authoritative guidance that allows Service Organizations/Vendors to disclose their control activities and processes to their customers and the customers' auditors in a uniform reporting format.
The examination signifies that a service organization has had its control objectives and control activities examined by Independent Auditors / Certified Public Accountants.
More about the SSAE 16 (SOC 1, SOC 2, SOC3):
 
SOC 1 (Type I and Type II) Reports
This type of report meets the needs of user entities' managements and auditors as they evaluate the effect of a service organization's controls on a user entity's financial statement assertions. These reports are important components of user entities' evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits.

It outlines an organization's control description at a specific point in time (For Example, June 1, 2005). A SSAE - Type I, encompasses a service auditor's report on a service organization's controls as it relates to an audit financial statements or specific control objectives relevant to the service organization. A Type I report determines design effectiveness of such controls in scope and use such controls to be utilized during the Type – II reports.
 
SOC 2 Reports
User entities who need to understand internal control at a service organization as it relates to security, availability, processing, integrity, confidentiality or privacy. This type of report can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Stakeholders who may use these reports include management or those charged with governance of the user entities and of the service organization, customers, regulators, business partners and suppliers.

It outlines an organization's control description at a specific point in time (For Example, June 1, 2005). A SSAE - Type I, encompasses a service auditor's report on a service organization's controls as it relates to security, availability, processing, integrity, confidentiality or privacy. A Type I report determines design effectiveness of such controls in scope and use such controls to be utilized during the Type – II reports.
 
SOC 3 (Type I and Type II in a Condensed Format) Reports
This is a report that can be used as an promotional effort on company's website to serve as an marketing tool. Type- II report outlines an organization's control description as well as detailed testing of the organization's controls over a minimum of six-month period (Eg: June 1, 2005 – December 31, 2005).

A Type II SAS 70 encompasses a service auditor's report on a service organization's controls as it relates to specific control objectives relevant to the service organization. A Type II report determines whether the controls were in place, tested and operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during a specified period of time, usually 6 or 12 months.
 
Which Type is recommended ?
This really depends on the compliance and business objectives that your organization want to accomplish.

See the comparison table below.

User entities Why are the reports required Type of Report recommended
Management, user entities and user auditors Management wants to ensure the reports are accurate and user entities want to ensure that the controls at the Service Organization do not impact user’s financial reporting. SOC 1
Management, User entities, User auditors and regulators Concerns regarding security, confidentiality, availability, integrity and/or privacy. SOC 2
Users Marketing/website SOC 3

 
Value Additions
Given the depth of details involved, and the independent nature of the audit, these reports provide greater assurance to clients and their audit teams
SSAE 16 reports (unqualified) are the best way for the Service organizations to demonstrate solid business, fiancé and IT practices with appropriate checks and balances are appropriately implanted and attested by Independent Auditors.
With increased risks pertaining to Outsourcing, now many of the large clients in the US are making a SSAE 16 Type II report as a mandatory requirement either for procuring a new IT / BPO vendor or to renew the existing contracts.
More than as a compliance obligation, now service organizations (IT / BPO Vendors) are utilizing organization’s successful status of SSAE 16, as competitive edge and showcasing such status as a distinctive advantage over other vendors.