Assurance and Advisory Services

    Service Organization Control (SOC) Reports 

    Service Organization Control Reports® are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.

    For CPAs For Users For Service Organizations

    Provides information to user auditors and service auditors on understanding and performing SOC engagements.

    Provides information to user entities on how to mitigate the risks associated with outsourcing services.

    Provides information to service organizations on building trust and confidence in their systems.

    SOC Guides and Publications
    SOC 2SM Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

    The AICPA has developed an illustrative Type 2 SOC 2SM report to assist CPAs in reporting on the suitability of the design and operating effectiveness of a service organization’s controls relevant to security and availability based on the criteria for security and availability in TSP Section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) and, the suitability of the design and operating effectiveness of its controls in meeting the criteria in the Cloud Security Alliance Cloud Controls Matrix.

    Product Image

    Trust Services Principles, Criteria and Illustrations

    This resource presents measurement criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system.

    The guidance was established by the Assurance Services Executive Committee (ASEC) of the AICPA, and is necessary when performing Service Organization Control, SOCSM 2 and SOCSM 3 engagements.

    This edition improves clarity and eliminates redundancy, and updates the criteria based on the changing technology and business environment. Click here for  a mapping of the 2014 revised criteria (TPA Section 100) to the 2009 criteria (TPA Section 100A).

    Product Image

    Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting Guide

    The SOC 1SM guide is designed to assist CPAs in transitioning from performing a service auditor’s engagement under Statement on Auditing Standards (SAS) No. 70, Service Organizations, to doing so under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, which replaces the guidance for service auditors in SAS No. 70. The following publication excerpts are available to AICPA members:

    Product Image

    Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2SM)

    The SOC 2SM guide provides “how-to” guidance for service auditors performing examinations under AT section 101, Attest Engagements (AICPA, Professional Standards), to report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy. It includes a new comprehensive illustrative type 2 SOC 2SM report  and expanded information on unique challenges and risks service auditor will encounter in performing SOC 2SM or SOC 3SMengagements for cloud computing service organizations.

    SOC Resources

    SOC Reports, Logos, FAQs, Brochure & Peer Review Requirements

    SOC Publications

    Service Organization Control Reports® 

    Attestation Standards


    Quick Reference Guide to Service Organization Control Reports

    • The Quick Reference Guide to Service Organization Control Reports is designed as a marketing and communications tool to help build your practice. This guide acts as a “take-away” that you can provide to your clients as a ready reference to service organization reporting controls. It educates your clients on the fundamental information they need to know about service organization reporting controls and what options are available to them.


    Product Image

    Using an SSAE No. 16 Service Auditor's Report (SOC 1SM Report) in Audits of Employee Benefit Plans

    SOC Continuing Professional Education Resources


    SOC School: Conducting Successful Engagements

    • SOC School is designed to educate CPA practitioners who want to learn how to provide best in class services related to the effectiveness of controls at a service organization that impact their clients internal controls over financial reporting (SOC 1SM), and controls at a service organization related to information privacy, security, confidentiality, availability and processing integrity (SOC 2SM and SOC 3SM). CPA Practitioners who attend the SOC school will gain a deeper understanding of Service Organization Control Guidance, common practice issues, and will leave with the foundational knowledge to effectively perform these engagements.

    Visit to learn more.

    SOC Articles and Blog Posts

    Explaining SOC: Easy as 1-2-3
    What CPAs need to know about Service Organization Controls reports.

    Expanding Service Organization Control Reporting 
    SOC 2SM reports offer CPAs new opportunities to address clients' needs.

    Cloud Computing
    This article explains the history and future of the cloud, helps you understand the potential benefits and risks of cloud computing and discusses how SOC reports can mitigate those risks.

    Replacing SAS 70
    New standards for engagements involving outsourcing.

    Blog Posts

    4 Things to Know About Performing and Reporting on SOC Engagements
    Here are four key queries and their answers to help you better understand SOC engagements.

    SOC Engagements: How to Get in the Game
    Find tips on how you can start a SOC practice.

    Press Releases

    SOC for Cloud Service Providers
    Cloud Security Alliance (CSA) endorses SOC reports for evaluating controls over cloud service providers.

    Copyright © 2006-2014 American Institute of CPAs.