Service Organization Control (SOC) Reports
Service Organization Control (SOC) Reports

Thought Leaders

Related Professionals

John Shank, CPA, CGMA

The AICPA developed Service Organization Control (SOC) reports in response to marketplace demand to help companies that outsource tasks or functions to third party providers.  SOC reports, formerly called SAS 70 reports, provide a framework for CPAs to examine controls and help senior management understand the related risks of outsourcing to a service provider.  Historically, companies had misused SAS 70 to issue reports on controls related to outsourced non-financial data rather than the correct attest standard which was in place. The SOC reports clarify which standard needs to be used and how it should be implemented to meet specific user needs.  Typically, a SOC is applicable to companies providing outsourced services to user entities (ex. SaaS providers, payroll companies, benefits administrators, trust companies/administrators, claims processors, outsourced IT departments, application service providers, etc.)

A brief description of the three SOC reports is outlined below:

SOC 1

These reports, equivalent to the former SAS 70, examine controls at a service organization that are relevant to a user entity’s internal control over financial reporting and are primarily an auditor-to-auditor communication. There are two types of SOC 1 reports; a Type 1 covers one point in time while a Type 2 covers a period of time and includes an assessment of the operating effectiveness of controls. Use of this report is restricted to management of the service organization, user entities, and user auditors.

SOC 2

These reports are intended to meet the needs of a broad range of users that need to understand internal controls at a service organization as it relates to security, availability, processing integrity, confidentiality, and privacy (based on the trust services principles and criteria).  These are areas not covered by a SOC 1 report.  A service organization can include one or multiple trust services principles in a SOC 2 report.   SOC 2 reports are generally restricted and intended for use by stakeholders such as user entities, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. SOC 2 reports are also prepared as a Type 1 or Type 2 report.

SOC 3

These reports cover the same subject matter as a SOC 2 report, but in a general use, short form format which can be freely distributed and publicly promoted with the AICPA SOC 3 seal on a service organization’s website. These reports are often issued in conjunction with a SOC 2 report.  The primary difference from a SOC 2 report is that a SOC 3 report does not include a description of the service organization’s system nor does it contain any information on testing. It simply provides the auditor’s opinion on whether the service organization maintains effective controls over its systems. SOC 3 reports are designed for entities that maintain or process electronic consumer data through e-commerce, software as a service (SaaS) solutions, and other electronic systems.

Requests for these types of reports have grown significantly in the last few years as user entities are increasingly requiring these reports from their outsourced service providers as part of their vendor management due diligence and to satisfy requests from their auditors and regulators.

BMSS can issue each of these types of reports and can help your company determine which type of report is right for you.