Both are designed to mitigate unlikely risks. For anyone who may not know, Magneto's nemesis, Professor X, has the ability to read minds, and in order to protect his thoughts from being intercepted, Magneto wears a helmet made of lead. Magneto and Professor X are not real, and neither is the ability to read minds, but judging by many of the controls I see in SSAE 16 reports that are supposed to contain only controls that mitigate the risk of material financial misstatement, I would not be surprised to see a control such as "We use lead-lined drywall in our offices to prevent psychics from seeing us enter our passwords."
Recently I have had opportunities to observe several auditors defend why they believe the controls contained in their client's SSAE 16 reports are relevant to internal controls over financial reporting (ICFR). The auditors argue that the risk events the controls mitigate are "possible." I have had to explain, to seasoned auditors in some cases, that just because a risk event is possible, does not mean it is reasonable to conclude a control is ICFR relevant. I mean, sure, some people believe in psychics, and there is probably anecdotal evidence out there that password sniffing via psychic is "possible," but is jumping from there to a control requirement for lead-lined drywall reasonable? Of course not. It is equally unreasonable to say that having fire suppression in your data center will prevent you from materially misstating your financials.
Do we really need to explain that physical security, environmental, and operational controls do not belong in SSAE 16 reports, or is there something more sinister going on? Why haven't auditors required their clients to remove non-ICFR controls from their SSAE 16 reports as the standard requires for the past two years since the launch of SOC reports? Could it be that the number of controls that require testing in an audit program directly relate to the audit fees that are justified?
I remember that in years three or four of Sarbanes Oxley compliance my clients would start "control rationalization exercises" where they would evaluate the risk of a control, in order to justify its removal from the external auditor's scope. It was easy for management to calculate the value of performing this exercise...total audit fees, divided by the number of controls, equals audit fee per control. It stood to reason that the more controls you could "rationalize", the lower the audit fee should be.
I believe that most auditors know that it is unreasonable to include physical security, environmental, and operational controls in SSAE 16 reports, but they are unwilling to do anything about it until their clients sign up for SOC 2 engagements. As long as clients do that, audit fees will increase rather than decrease. How short sighted is that though? Requiring clients to remove non-ICFR controls would have created an assurance vacuum that SOC 2 was designed to fill. As it stands now, auditors who issued non-compliant SSAE 16 reports have a credibility problem.
If you are hearing about SOC 2 for the first time, and are looking to engage an auditor, you should ask to see some of their SSAE 16 work before making that decision. For more information on how to distinguish between ICFR and non-ICFR controls, please refer to my whitepaper on the subject here. If you are considering a report other than SOC 2 for assurance pertaining to security, availability, and/or confidentiality, please read my posts on why SOC 2 is a superior report to all others below:
Posted by Jon Long