Service Organization Control – SOC1, SOC2, and SOC3

SFAI is expanding its new portfolio services: Management Assurance Service – SOC

What are SOC for Service Organizations reports?

SOC for Service Organizations reports is internal control reports, which independent CPAs provide, on the services a service organization provides.

  • Useful for evaluating the effectiveness of controls related to the services performed by a service organization
  • Appropriate for understanding how the service organization maintains oversight over third parties that provide services to customers
  • Help reduce the compliance burden by providing one report that addresses the shared needs of multiple users
  • Enhances the ability to obtain and retain customers

Types of SOC for Service Organizations Reports

The variety of SOC for Service Organizations offerings available include:

SOC 1 — SOC for Service Organizations: ICFR

These reports are specifically designed to address controls at the service organization that is relevant to the user entities’ financial statements. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. The use of these reports is restricted to the management of the service organization, user entities, and user auditors.

SOC 2 — SOC for Service Organizations: Trust Services Criteria

These reports address controls relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners, and regulators.

SOC 3 — SOC for Service Organizations: Trust Services Criteria for General Use Report

Like SOC 2, these reports address controls relevant to security, availability, processing integrity, confidentiality, and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.