How to Explain SOC 2 to Your Clients Who Are Still Asking for SSAE 16

If you have made the decision to go with a SOC 2 because it is the right report for your organization, but you still have customers who are asking for a SOC 1 (SSAE 16), here's what you can tell them.

Dear Customer, 

We have determined through careful examination of our services, and in consultation with our CPA firm that SOC 1 (SSAE 16) is not applicable to us because our services do not have the potential to impact the accuracy of our customer's financial statements.  Our customers have expressed the need to obtain assurance pertaining to our internal controls as they relate to the security, integrity, confidentiality, and privacy of the data we process, store, or transmit for them, as well as the availability of the systems we host for them.  Consequently, we have selected to undergo a SOC 2 engagement that is based on the same family of standards as SSAE 16, but is more applicable to the services we provide our customers.  

Our SOC 2 report, based on SSAE 10, 11, 12, and 14; cumulatively referred to as AT-101, provides assurance regarding security, availability, processing integrity, confidentiality, and privacy.  It is not intended to provide our customers with assurance relevant to internal controls over financial reporting (ICFR).  If your internal or external auditors require supporting documentation regarding how we determined that our services  do not pertain to our customer's ICFR process, we will be happy to provide the information to them upon request.

Thank you very much for your business.

You will have to tailor the references to all five TSPC principles if you only received an attestation on a subset of the five (ie. just security and availability).

If your CPA firm has not helped you document why your internal control environment does not have ICFR impact on your customers, then you can contact me at, and I will document it for you using the Degrees of Risk Separation (DoRS) approach to determining ICFR.


  1. Jon. This is awesome. Glad you are still pushing the SOC agenda. You know oftentimes people need templates to guide us in the right direction.

    1. Thanks Robert. I'm the same way. I'm working on a nice one right now that will people's lives easier who are having to deal with multiple compliance requirements.

  2. This comment has been removed by the author.

  3. Hey, St. Petersburg, I'm going to be in your neck of the woods tomorrow and Thursday. Do you want to meet up?

  4. Thank you for useful article!
    Agreed, cyber security is essential for modern enterprises like traditional security is. What is interesting is that data loss may cost more than for instance all the office equipment. That is why companies are ready to pay for quality Ideals virtual data room service in order to keep their data safe.