Service Organization Control (SOC) Reports
Visit the AICPA Website
Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs:
SOC 1 Report: This reports on the controls at a service organization relevant to a user entity's internal control over financial reporting. This report is typically used by the service organization’s customers to satisfy compliance requirements. This report is performed under the Auditing Standards Board’s Statement on Standards for Attestation Engagements (SSAE 18), Reporting on Controls at a Service Organization.
SOC 2 Report: This reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. This report is typically used by the service organization’s customers to gain comfort over selected operational controls tested at the service organization.
SOC 3 Report: This is a Trust Services Report which essentially covers the same subject matter as SOC 2, but the report does not include the same level of detail as the SOC 2. This report enables the service organization to publish a seal on their website indicating their compliance.