SOC

Service Organization Control

A type of audit framework through reports that assess a service organization’s internal controls. These reports are based on standards the American Institute of Certified Public Accountants (AICPA) developed. Here’s the version history of SOC reports:

• SAS 70 (before 2011): Statement on Auditing Standards No. 70 (SAS 70) was the original standard for assessing service organizations’ internal controls. It was used from 1992 to 2011 and primarily focused on controls relevant to financial reporting. SAS 70 provided a framework for auditors to evaluate and report on the effectiveness of a service organization’s internal controls, which helped build trust between service organizations and their clients.
• SSAE 16 and SOC 1 (2011-2017): In 2011, the AICPA introduced the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), which replaced SAS 70. SSAE 16 was used to report on service organizations’ controls relevant to user entities internal control over financial reporting (ICFR). SOC 1 reports were prepared using SSAE 16, providing a more comprehensive and standardized approach to assessing and reporting on internal controls related to financial reporting.
• SSAE 18 and SOC 1 (2017-present): In 2017, SSAE 18 superseded SSAE 16. SOC 1 reports are now prepared using SSAE 18, which further enhances the guidance for performing and reporting on examinations, reviews, and agreed-upon procedures engagements. SOC 1 reports continue to focus on controls relevant to user entities’ ICFR, providing valuable information to service organizations’ clients and their auditors.
• SOC 2 (2011-present): SOC 2 reports were introduced in 2011 and focus on a service organization’s non-financial reporting controls related to five key trust services criteria: security, availability, processing integrity, confidentiality, and privacy. These reports assure clients the effectiveness of a service organization’s controls in these areas, helping to build trust and confidence in the services provided.
• SOC 3 (2011-present): Also introduced in 2011, SOC 3 reports are simplified versions of SOC 2 reports designed for a general audience. These reports provide a high-level overview of the service organization’s controls related to the trust services criteria without disclosing sensitive details. SOC 3 reports are often used for marketing purposes or to provide a general understanding of a service organization’s control environment.
• SOC for Cybersecurity (2017-present): SOC for Cybersecurity reports were introduced in 2017 to address the growing concern over cybersecurity risks. These reports provide information about an organization’s cybersecurity risk management program, including its effectiveness in detecting, responding to, and recovering from cybersecurity incidents. SOC for Cybersecurity reports help organizations demonstrate their commitment to maintaining a robust cybersecurity posture and provide assurance to stakeholders.
• SOC for Supply Chain (2020-present): Introduced in 2020, SOC for Supply Chain reports address risks associated with an organization’s supply chain. These reports help organizations manage and mitigate supply chain risks by assessing the effectiveness of controls related to the production, manufacturing, and distribution of goods and services. SOC for Supply Chain reports assure clients and stakeholders that an organization has implemented appropriate measures to ensure the integrity and resilience of its supply chain.

These reports help service organizations demonstrate their commitment to maintaining effective internal controls and providing assurance to their clients.

• Abbreviation: SOC