SSAE 16 and SOC Report Analysis and Review

Do you know a good SSAE 16 from a bad one?


SSAE 16 audit reports are the most practical way for you to judge your outsourced vendors’ data center security policies, processes and procedures. Trouble is, they’re really hard for even experienced CIOs to read. Oh, and vendors still control the scope of these audits so you might miss that what you receive are merely the results of interviews covering 25 controls when you should expect test results of 75 controls.

Our Certified Information Systems Security Professional (CISSP) will review your vendors’ SSAE 16 report, compare it to our gold standard criteria, calculate the risk score, roll them into our popular vendor risk scorecards and make actionable recommendations to improve your risk profile.


Key Features:

  • Proprietary scoring methodology that analyzes year over year data center trends and 12 different security criteria
  • Includes recommendations to reduce vendor data center risk exposure
  • Above and beyond. We go beyond merely looking at data center security. We can also show you data center specific customer satisfaction ratings.
  • Examiner-approved. Our SSAE 16 review, scoring process and risk scorecards have been approved by every regulatory agency.

Learn More About Our Vendor Due Diligence Document Collection Services

Schedule a time to talk with one of our Vendor Management Consultants

or, if you’re ready, request a custom pricing proposal

Contact us now

So, What Makes Us Different?


Let us gather and review your vendors’ SSAE 16 and SCO reports, so you can focus your time on making the best business decisions  from our recommendations.


We are in the vendor evaluation business, so we are evaluating all aspects of the major vendors every day. Not only do we review vendor financials and attend vendor earnings calls, but we meet with vendor executives  every Friday to get product, company  and security updates.  We track vendor wins and losses , monitor changes in market share , evaluate their products and know about problems before they’re public.


Many competing vendor management software and services are actually resold by your moderate to high risk vendors .

This means they will only share publicly available information. We on the other hand are Gonzo and share non-public vendor dirt every day, all day. (link to Trouble in the Great White North)