AICPA SOC 1, 2, and 3 | Reports and 5 Things You Need to Know
Out with the old and in with the new! With the replacement of the outdated SAS 70 auditing standard (which was in place for nearly two decades), AICPA SOC reports are becoming increasingly more common. Service organizations now have three distinct reporting options---and with this noteworthy change, it is important to take note of the following items regarding these options:
1. It’s a SOC world after all. The all new SOC (Service Organization Control) platform represents a monumental shift initiated by the American Institute of Certified Public Accountants (AICPA). In an effort to modernize and take a more global approach to service organization reporting, the aging SAS 70 auditing platform has been replaced in favor of SSAE 16, under the umbrella of the SOC framework. Within this framework are three reporting options---SOC 1, SOC 2 and SOC 3. The ISAE3402 reporting option serves as an international equivalent to SSAE 16, which is the de facto standard for compliance reporting.
Gone is the antiquated, one-size fits all SAS 70 auditing protocol, replaced by a robust, flexible, and scalable approach to auditing that is in line with the complexities of today’s business world. From SSAE 16 SOC 1 to SOC 2 and SOC 3, service organizations now have a large menu of auditing options to choose from – and that’s a good thing – and you also have a firm that offers fixed-fees and high-quality assessment services, and that’s NDB.
2. SOC 1 is here. With the retirement of SAS 70, SOC 1 has emerged as the new champion. As we have already alluded to, SOC 1 offers multiple reporting options in conjunction with the SSAE 16 professional standard; this results in the issuance of Type 1 and Type 2 reports. Although SSAE 16 reports are technically designed for reporting on controls within service organizations who have a true nexus with a concept known as ICFR (Internal Control over Financial Reporting), the SSAE 16 standard continues to attract a wide array of third-party entities.
There’s still a big debate as to SOC 1 vs. SOC 2 and which audit protocol is the preferred method. While there are still numerous technical companies that perform SSAE 16 SOC 1 audits, such as data centers and managed services providers, this is changing, with SOC 2 slowly emerging and becoming a viable source. Are you a technology oriented service organization performing critical I.T. services for customers, then SOC 2 should be your preferred audit choice when conducting third-party assessments. To learn more about NDB's SSAE 16 reporting services and our competitive, fixed-fee pricing, contact Christopher G. Nickell, CPA. He can be contacted at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it. today.
3. SOC 2 is slowly emerging. The upgrade from SAS 70 signaled a changing of the guard, and with this change came more meaningful and flexible reporting options; hence, the expanded offerings from the new standard. Compared to SOC 1 SSAE 16 reporting, SOC 2 is not used in a widespread fashion. However, SOC 2---which is commonly used for technology based service organizations (cloud computing entities, data centers, etc.)---is emerging as a legitimate alternative. This trend will only gain momentum as interested parties become more aware of SOC 2’s true value. Meanwhile, AT 101 serves as the professional standard for SOC 2 reports, much like SSAE 16 does for SOC 1.
SOC 2 reporting incorporates the Trust Service Principles (TSP), which are:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
4. SOC 3 is an option also. SOC 3 shares several similarities with SOC 2. Both reporting options utilize the Trust Service Principles, both issue reports under the AT 101 professional standard, and both are increasing in recognition and usage. Either of these reporting options serves as a viable alternative to SOC 1. However, despite lacking the technical depth of SOC 2 reporting, SOC 3 offers SysTrust and WebTrust seals that can be issued and showcased as validation of compliance.
5. Policies and procedures are necessary for SOC compliance. In the world of regulatory compliance, policies and procedures need to be developed and followed! Information security policies and procedural documentation are just a few examples of the multitudes of categories where these controls are necessary. Stop and think about all the mandated information security policies and procedures & I.T. domains that require documentation – change control, access rights, incident response, data backup, and more – and its’ why NDB offers our SOC 1 and SOC 2 Policy Packets, complimentary to NDB’s clients.
When it comes to saving time and money on essential policy documents, NDB is there to help you every step of the way. Look, policy writing is incredibly taxing, time-consuming – and often very mundane – so do yourself a favor and turn to the SOC 1, SOC 2, and SOC 3 experts at NDB and then receive our industry leading, complimentary policy packets for helping save thousands of dollars and hundreds of operational man-hours on compliance.
To learn more about NDB's SSAE 16 reporting services and our competitive, fixed-fee pricing, contact Christopher G. Nickell, CPA. He can be contacted at 1-800-277-5415, ext. 706 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.