AICPA Service Organization Control Reports Logos 


    SOC 1, SOC 2 and SOC 3 and the associated logos are trademarks, service marks and certification marks of the American Institute of Certified Public Accountants (AICPA), which reserves all rights. AICPA has established specific Guidelines for the use and display of these marks. AICPA monitors the quality of the attestation services provided under its marks, but does not independently audit or verify compliance with the Guidelines by all those who download the marks nor does display of the mark indicate that the engagement did not identify any deficiencies or exceptions. In instances where AICPA becomes aware that a company may be displaying a mark without full compliance with the Guidelines, AICPA will undertake reasonable efforts to have that party demonstrate compliance with the Guidelines or remove the marks from its website. However, AICPA does not and cannot provide any express or implied representations, warranties or assurances concerning a party or company displaying any of the marks. Those doing business with an organization displaying the marks should conduct independent due diligence regarding the reputability, integrity and reliability of that organization.

    Following are the two service organization control reports logos:


    SOC Logo for use by CPAs

    Service Organization Logo

    Refer to the Terms, Conditions and Guidelines for CPA’s use. Click logo to register for logo use. Refer to the Terms, Conditions and Guidelines for Service Organization’s use. Click logo to register for logo use. 


    Types of SERVICE ORGANIZATION CONTROL REPORTSSM

    SOC 1 Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1SM reports are examination engagements performed by a service auditor (CPA) in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization to report on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1SM report is restricted to existing user entities (not potential customers) and their auditors. There are two types of SOC 1SM reports:

    (i) Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
    (ii) Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

    SOC 2 Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: SOC 2SM reports are examination engagements performed by a service auditor (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids). SOC 2SM reports specifically address one or more of the following five key system attributes:

    (i) Security - The system is protected against unauthorized access (both physical and logical);
    (ii) Availability - The system is available for operation and use as committed or agreed;
    (iii) Processing integrity - System processing is complete, accurate, timely and authorized;
    (iv) Confidentiality - Information designated as confidential is protected as committed or agreed;
    (v) Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants. [The criteria in GAPP are the same as the criteria for the privacy principle in TSP section 100.]

    Use of a SOC 2SM report is generally restricted.

    The two types of SOC 2SM reports are:

    Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls;
    Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.


    SOC 3 Trust Services Report for Service Organization: SOC 3SM reports are examination engagements performed by a practitioner (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids). A SOC 3SM report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system are provided). SOC 3SM reports can be issued on one or more of the Trust Services principles (security, availability, processing integrity, confidentiality and privacy). SOC 3SM reports are general-use reports.




    A A A


     
    Copyright © 2006-2014 American Institute of CPAs.