SSAE16 / SOC Reports

Since the introduction of Sarbanes-Oxley in 2002, many companies with SEC-registered customers are required to have SSAE16 (SOC1) examinations. In addition, SSAE16 reports are being required by many user organizations that outsource to service providers.
At Hancock & Dana, we specialize in SSAE16 examinations with a process that is customized for each client to efficiently highlight internal controls, processes, values and integrity.

At Hancock & Dana, we offer Readiness Assessments as well as SOC1, SOC2 and SOC3 examinations.

  • Readiness Assessments – Designed to assess a service organization’s preparedness for a SSAE 16 examination. Identifies controls the service organization should either implement or improve before having a SSAE 16 examination.
  • SOC1 – Report on controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. A type 1 report focuses on a description of the system and on the suitability of the design of its controls as of a specific date.  A type 2 report contains the same opinions with the addition of an opinion on the operating effectiveness of the controls throughout the specified period.
  • SOC2 – Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. Similar to SOC1 in that a type 1 or type 2 report is available.
  • SOC3 – Report that covers the same subject matter as SOC2, but does not include a description of the service auditor’s test of controls and results. The description of the system is less detailed than the SOC2 report.

Browse Our Services


“Hancock & Dana’s professionals are proactive – they truly care and have made a significant difference in helping me accomplish my goals.”

Randy, Business Owner