Assurance and Advisory Services

SOC for Service Organizations: Information for Service Organizations 

SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs:

SOC 1®– SOC for Service Organization: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

There are two types of reports for these engagements:

  • Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

SOC 2® - SOC for Service Organizations: Trust Services Criteria

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

SOC 3®— SOC for Service Organizations: Trust Services Criteria for General Use Report

These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.

 

HOW TO IDENTIFY THE SOC for SERVICE ORGANIZATIONS REPORT THAT IS

RIGHT FOR YOU

 

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?

 

Yes

 

SOC 1® Report

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? 

 

Yes

 

SOC 2® or SOC 3® Report

Do you need to make the report generally available? 

Yes

SOC 3® Report

Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?

 

 

 

Yes

 

SOC 2® Report

 

No

 

SOC 3® Report

AICPA Toolkit for SOC for Service Organizations
To help service organizations better understand SOC for service organizations examination engaagements and educate current and potential customers on the reports on their controls, the AICPA has developed the
SOC Toolkit for Service Organizations. All materials are available as free downloads.


The AICPA has developed the "Information for Management of a Service Organization" document to assist management of a service organization in preparing its description of the service organization’s system, which serves as the basis for a SOC 2® examination engagement. It is also intended to familiarize management with its responsibilities when it engages a service auditor to perform a SOC 2® engagement. This document was adapted from the SOC 2® Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (July 1, 2015).

© 2017 Association of International Certified Professional Accountants. All rights reserved.