Service Organization Controls Reports: Frequently asked questions
The migration from SAS 70 to Statement on Standards for Attestation Engagements (SSAE) No.16 resulted in several changes for service organizations and information that's being presented to user entities and their auditors. In addition, the American Institute of Certified Public Accountants recently introduced a new framework resulting in three Service Organization Control (SOC) reporting options to help address the current market demands.
The options provided within this SOC framework include:
- SOC 1: (SSAE 16): Focuses on the service organization's internal controls that are relevant to a user entity's internal control over financial reporting (ICFR).
- SOC 2: Addresses controls over security, availability, processing integrity, confidentiality or privacy.
- SOC 3: A simplified report on the same subject matter as SOC 2 and available for public use.
We believe service organizations and user entities should be informed about their options when it comes to selecting the most relevant solution for third party reports. This frequently asked question (FAQ) document is designed to assist service organizations and user entities alike as they strive to make informed decisions about their reporting options.