Up to 1 May 2017 SSAE 16 provided a framework for the three categories of SOC reports. This framework has now been revised by SSAE18 (the update to SSAE16) and carries with it an effective date of 1 May 2017.
The marketplace is still getting to grips with SOC reporting choices and we hope that businesses will continue to embrace the diversity of options presented by the AICPA. We would recommend that service organisations should have open discussions with their user organisations in order to understand exactly why a certain SOC report is being requested. This information will inform the question as to which SOC report or reports are appropriate to the needs of user organisations and others.