Service Organization Control (SOC) Reports (formerly known as SAS 70 reports) are internal control reports on the services provided by a service organization. The following types of SOC reports provide user management with the information they need about the service organization’s controls to help assess and address the risks associated with an outsourced service:
- SOC 1 Report - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting - These reports are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors) in evaluating the effect of the controls at the service organization on user entities’ financial statements. Use of these reports is restricted to the management of the service organization, user entities and user auditors.
- SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy – These reports are intended to meet the broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Use of these reports is generally restricted to user entities and others that have knowledge of the service organization’s services, such as regulators.
- SOC 3 Report - Trust Services Report – These reports are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and process integrity of the systems used by a service organization to process users’ information, and the confidentiality or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a Sys Trust for Service Organizations seal.
The above article was written by both Holly Russo, Senior Manager, Internal Audit and Risk Advisory Services, and Heather Haemer, Manager, Internal Audit and Risk Advisory Services. You can contact either of them concerning any questions you have on these new reports at firstname.lastname@example.org or email@example.com.
Schneider Downs provides accounting, tax, wealth management, technology and business advisory services through innovative thought leaders who deliver the expertise to meet the individual needs of each client. Our offices are located in Pittsburgh, PA and Columbus, OH.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax-related matter.