Service Organization Control (SOC) Reports
Developed by the American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC) reports are a comprehensive framework of reporting standards focusing on controls at service organizations. An organization that performs a task or function for other entities is known as a service organization. The SOC standards are designed to clarify, distill, and provide transparency in reporting on controls at service organizations.
Although a number of critical elements shape the SOC framework, three SOC reports are aimed at some very specific needs and reporting requirements for service organizations. A brief description of the three different types of SOC reports follows:
SOC 1 Reports
SOC 1 reports are restricted to service organization management, the service organization’s user entities (its clients), and user entities’ financial auditors. These reports replaced the SAS70 reports as of June 15, 2011. For reports not specifically focused on internal controls over financial reporting, SOC 2 and SOC 3 reports should be used.
SOC 2 Reports
SOC 2 reports meet the needs of a number of users for information on security, availability, processing integrity, confidentiality, or privacy. These reports are intended for use by stakeholders (customers, regulators, business partners, and suppliers) that need an in-depth understanding of the service organization and its internal controls structure.
SOC 3 Reports
These reports are designed for users who need assurance on controls at the service organization but do not require the depth of information provided in a SOC2 report. Since SOC3 reports are for general use, they can be freely distributed and even posted on the service organization’s website with the appropriate seal.