SOC for Service Organizations
SOC for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.

CPAs
Provides information to user auditors and service auditors on understanding and performing SOC for service organization engagements.

Users & User Entities
Provides information to user entities on how to mitigate the risks associated with outsourcing services.

Service Organizations
Provides information to service organizations on building trust and confidence in their systems.

Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®)
This updated and improved guide is designed to help CPAs effectively perform SOC 1®engagements under AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, of Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.

Updated as of January 1, 2018, the SOC 2® guide provides “how-to” guidance for service auditors performing examinations under SSAE 18 (Clarified Attestation Standards), to report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy. It includes an updated comprehensive illustrative type 2 SOC 2® report, a new comprehensive illustrative SOC 3® report, a new appendix for performing and reporting on a SOC 2® examination in accordance with International Standards on Assurance Engagements (ISAES) or in accordance with both the AICPA’s attestation standards and the ISAES, and expanded information on unique challenges and risks service auditors will encounter in performing SOC 2® or SOC 3®engagements for service organizations.

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report, are intended for use by service organization management in preparing the system description and by CPAs to report on management’s description in a SOC 2® examination. Designed to be used in conjunction with the 2017 Trust Services Criteria set forth in TSP section 100 (AICPA, Trust Services Principles). When preparing a description of the service organization’s system as of December 15, 2018, or prior to that date (type 1 examination) or a description for periods ending as of December 15, 2018, or prior to that date (type 2 examination), either the 2018 description criteria or the 2015 description criteria may be used. During this transition period, management should identify in the description whether the 2018 description criteria or the 2015 description criteria were used. When preparing a description of the service organization’s system as of or after December 16, 2018, (type 1 examination) or a description of the system for periods ending as of or after that date (type 2 examination), the 2018 description criteria should be used.

2015 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report, are intended for use by service organization management in preparing the system description and by CPAs to report on management’s description in a SOC 2® examination. Designed to be used in conjunction with the 2016 Trust Services Criteria in TSP section 100A (AICPA, Trust Services Principles). The 2015 description criteria may be used when preparing a description of the service organization’s system as of December 15, 2018, or prior to that date (type 1 examination) or a description for periods ending as of December 15, 2018, or prior to that date (type 2 examination).

Attestation Standards
This 2017 edition of AICPA Codification of Statement on Standards for Attestation Engagement includes the newly clarified Statements on Standards for Attestation Engagements in SSAE No. 18, Attestation Standards: Clarification and Recodification. Redrafted in accordance with the clarity drafting conventions and differentiated from the extant standards by using the identifier “AT-C”, the attestation standards are easier to read, understand, and apply by establishing objectives and definitions in each AT-C section, and separating requirements from application and other explanatory material.
Some of the more significant changes introduced by SSAE No. 18 include (among other changes):
- Separation of procedural and reporting requirements for review engagements from their counterparts for examination engagements
- Required representation letters
- More robust risk assessment for examination engagements SSAE
No. 18 supersedes all of the extant attestation standards with the following exceptions:
- AT 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements
- AT 701, Management’s Discussion and Analysis
SOC for Service Organizations Resources
Brochure Infographic: SOC Survey Results. The AICPA staff conducted a survey of over 400 firms to gain an understanding of the market for SOC and third-party assessment services.
Whitepaper: Implications of the Use of Blockchain in SOC for Service Organization Examinations
FAQs - SOC 2® and SOC 3® Examinations to provide nonauthoritative guidance on selected practice matters raised by members in connection with SOC 2® and SOC 3 ® examinations.
Mapping of the 2017 Trust Services Criteria to Extant 2016 Trust Services Principles and Criteria
Mapping of the Trust Services Criteria to NIST 800-53
SOC for Service Organizations Brochure is a tool CPAs can co-brand (via the ? stamp on the cover page) and distribute in association with marketing of SOC for Service Organizations services.
SOC 2® + Additional Subject Matters and Additional Criteria
Learn about additional considerations when a service organization requests that the service auditor examine and report on subject matters in addition to the description of the service organization’s system in accordance with the description criteria and the suitability of design and operating effectiveness of controls based on the applicable trust services criteria.
SOC for Service Organizations Reports, Logos, Toolkits, Peer Review Requirements, and Other Related Information
- SOC 1®
- SOC 2®
- SOC 3®
- SOC for Service Organizations Logos
- SOC for Service Organizations Toolkit for Firms
- SOC for Service Organizations Toolkit for Service Organizations
- Peer Review Requirement
- Common deficiencies peer reviewers noted in SOC 1® and SOC 2® examinations
- Whitepaper - SOC 2® Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions
- Performing and reporting on a SOC 2® examination in accordance with International Standards on Assurance Engagements (ISAEs) or in accordance with both the AICPA’s attestation standards and the ISAEs
SOC for Service Organizations Continuing Professional Education

Introduction to SOC Reporting
Introduction to SOC Reporting is designed to provide CPA practitioners with foundational knowledge about planning, performing, and reporting on SOC for service organizations examinations. This CPE course offers guidance on how to provide attest services related to the effectiveness of controls at a service organization that affects clients' internal control over financial reporting (SOC 1®) and controls at a service organization related to information privacy, security, confidentiality, availability and processing integrity (SOC 2® and SOC 3®).
SOC for Service Organizations Virtual School: Increase Your Understanding of SOC 1®, SOC 2® and SOC 3® Reporting
SOC for Service Organizations School is designed to educate CPA practitioners who want to learn how to provide best in class services related to the effectiveness of controls at a service organization that impact their clients internal controls over financial reporting (SOC 1®), and controls at a service organization related to information privacy, security, confidentiality, availability and processing integrity (SOC 2® and SOC 3®). Designed for intermediate to advanced experience levels, CPA Practitioners who attend the SOC for Service Organizations school will gain a deeper understanding of SOC for Service Organizations guidance and common practice issues.
Visit aicpastore.com to learn more.
SOC for Service Organizations Certificate

Advanced SOC for Service Organizations Certificate Exam
The Advanced SOC for Service Organizations Certificate Exam tests the knowledge and skills of advanced-level practitioners related to conducting both SOC 1® and SOC 2® engagements, including the ability to plan, perform, and report on the engagements. Practitioner passing the exam will be awarded with a certificate in the form of a digital badge.