This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Service Organization Controls Reports: Frequently asked questions


The migration from SAS 70 to Statement on Standards for Attestation Engagements (SSAE) No.16 resulted in several changes for service organizations and information that's being presented to user entities and their auditors. In addition, the American Institute of Certified Public Accountants recently introduced a new framework resulting in three Service Organization Control (SOC) reporting options to help address the current market demands.

The options provided within this SOC framework include:

  • SOC 1: (SSAE 16): Focuses on the service organization's internal controls that are relevant to a user entity's internal control over financial reporting (ICFR).
  • SOC 2: Addresses controls over security, availability, processing integrity, confidentiality or privacy.
  • SOC 3: A simplified report on the same subject matter as SOC 2 and available for public use.

We believe service organizations and user entities should be informed about their options when it comes to selecting the most relevant solution for third party reports. This frequently asked question (FAQ) document is designed to assist service organizations and user entities alike as they strive to make informed decisions about their reporting options.

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options

Stay connected