Service Organization Control (SOC) Reports, effectively known as either SOC 1, SOC 2, and SOC 3 Reports, is a comprehensive framework put forth by the American Institute of Certified Public Accountants (AICPA) geared towards reporting on controls at service organizations. Unlike Statement on Auditing Standards No. 70 (SAS 70), which became a global "de facto" reporting standard used for almost any entity labeled or deemed a "service organization", the SOC framework is a specific set of reporting initiatives aimed at helping to clarify, distill, and bring about much needed transparency for reporting on controls at service organizations.
What You need to Know About SOC 1 & SOC 2 Reporting
Though there are a number of critical elements that helped shape and ultimately form the new SOC reporting framework, it's important to note that each of the three (3) SOC's are aimed at very specific needs and reporting requirements for service organizations themselves. We live in a complex and ever-changing business environment, one that has seen an exponential growth in outsourcing coupled with increasing demands for assurances from these very service organizations who are performing critical functions for other entities (i.e., user organizations, user entities). As such, the following SOC reports are aimed at reporting on controls for service organizations throughout a wide range of industries and business sectors:
• SOC 1 Reports: Reporting on controls relevant to internal control over financial reporting (ICFR). Please note that SOC 1 Reporting will be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, simply known as SSAE 16, along with an accompanying SSAE 16 audit guide, which was released in early 2011 (with subsequent publications since then). SSAE 16 has now been replaced by SSAE 18 for reports dated on or after May 1, 2018.
• SOC 2 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy. Please not that SOC 2 Reporting will be conducted in accordance with AT Section 101 and will utilize an audit guide titled "Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy", which was also released in early 2011 (with subsequent publications since then).
• SOC 3 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy in accordance with general Trust Service Principles. Please note that these reports are to be prepared using the AICPA and the Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.