Types of SERVICE ORGANIZATION CONTROL REPORTSSM

SOC 1 Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1&#ATL4WDPSQL03I10; reports are examination engagements performed by a service auditor (CPA) in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization to report on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1SM report is restricted to existing user entities (not potential customers) and their auditors. There are two types of SOC 1SM reports:

• Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
• Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

SOC 2 Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy: SOC 2SM reports are examination engagements performed by a service auditor (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids). SOC 2SM reports specifically address one or more of the following five key system attributes:

• Security - The system is protected against unauthorized access (both physical and logical);
• Availability - The system is available for operation and use as committed or agreed;
• Processing integrity - System processing is complete, accurate, timely and authorized;
• Confidentiality - Information designated as confidential is protected as committed or agreed;
• Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants. [The criteria in GAPP are the same as the criteria for the privacy principle in TSP section 100.]

Use of a SOC 2SM report is generally restricted.
The two types of SOC 2SM reports are:

• Type 1 – A report on management’s description of the service organization’s system and the suitability of the design of the controls;
• Type 2 – A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

SOC 3 Trust Services Report for Service Organization: SOC 3SM reports are examination engagements performed by a practitioner (CPA) in accordance with AT Section 101, Attest Engagements, of SSAEs (AICPA, Professional Standards, vol. 1) using the predefined criteria in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids). A SOC 3SM report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system are provided). SOC 3SM reports can be issued on one or more of the Trust Services principles (security, availability, processing integrity, confidentiality and privacy). SOC 3&#ATL4WDPSQL03I10; reports are general-use reports.

Which SOC Report is right for you? Use our SOC Decision Diagram to find the right fit!

Contact us today!