Service Organization Control (SOC) Reports
Customers want to know that the services they use pay attention to security, privacy, confidentiality, integrity, and availability. Companies need assurance that a strong system of controls is in place and is operating effectively at their organizations. We help these organizations provide critical information about their service effectiveness to customers—the user organizations—in accordance with guidelines from The American Institute of Certified Public Accountants (AICPA) and the newly created Service Organization Control (SOC) reports.
Under AICPA guidelines, three different types of reports are used to communicate these business controls:
SOC 1: Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting. This report corresponds to the recently released SSAE 16 report (which replaced the Statement on Auditing Standards #70 (SAS 70)). It is designed to conform to international standards and provides assurance, transparency, and verification of internal controls for an auditor of the user organization. As were SAS 70 reports, these reports are available in both Type I (examination as of the date of review) and Type II (examination performed over a period of time, usually six months or more, to represent testing for operational effectiveness). SOC 1 engagements are performed in accordance with the Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, and are intended for those organizations whose service is financially material to their users.
SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy. This report provides detailed information regarding the services reviewed in one or more of five key system attributes—security, availability, processing integrity, confidentiality, and privacy. SOC 2 engagements address controls relating to operations and compliance. These reports are also available in Type I and Type II formats.
SOC 3: Trust Services Report. This report provides summarized information, and is more general than the SOC 2 standard. It reports on whether the system achieved basic trust services criteria, but does not include detailed system and testing descriptions.
A service organization that has had at least one of these reports issued by a licensed CPA may use or display the AICPA Service Organization Logo.
Each of these reports must be carefully planned by the service organization in connection with its auditing team. Contact Jason Stork at firstname.lastname@example.org to discuss your needs and determine the best report and approach for your organization.
Frank, Rimerman + Co. LLP is a PCAOB registered accounting firm, with an experienced team who have led and performed many SSAE 16 (and SAS 70 examinations).
For more information on the SOC reports and AICPA
guidance, please visit the Service Organization Control
(SOC) Reporting website at: www.aicpa.org/SOC.