SAS 70 Reports Now Service Organization Control (SOC) Reports


By Holly Russo

Service Organization Control (SOC) Reports (formerly known as SAS 70 reports) are internal control reports on the services provided by a service organization. The following types of SOC reports provide user management with the information they need about the service organization’s controls to help assess and address the risks associated with an outsourced service:

  • SOC 1 Report - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting - These reports are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors) in evaluating the effect of the controls at the service organization on user entities’ financial statements. Use of these reports is restricted to the management of the service organization, user entities and user auditors.


  • SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy – These reports are intended to meet the broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Use of these reports is generally restricted to user entities and others that have knowledge of the service organization’s services, such as regulators.


  • SOC 3 Report - Trust Services Report – These reports are designed to meet the needs of users who need assurance about the controls at a service organization that affect the security, availability, and process integrity of the systems used by a service organization to process users’ information, and the confidentiality or privacy of that information, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a Sys Trust for Service Organizations seal.

The above article was written by both Holly Russo, Senior Manager, Internal Audit and Risk Advisory Services, and Heather Haemer, Manager, Internal Audit and Risk Advisory Services.  You can contact either of them concerning any questions you have on these new reports at hrusso@schneiderdowns.com or hhaemer@schneiderdowns.com.




Schneider Downs provides accountingtax, wealth management, technology and business advisory services through innovative thought leaders who deliver the expertise to meet the individual needs of each client. Our offices are located in Pittsburgh, PA and Columbus, OH. 

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax-related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.