1.866.669.6561

check

SOC1-SOC2-SOC3-Report Comparison

With the change from SAS 70 to SSAE 16 the three different SOC reporting options were introduced and now management is tasked with trying to figure out which SOC report is the correct one for their organization.  Below is a table illustrating the three different SOC reports and you can read more on SOC reporting on our blog.

SOC Reporting Comparison

  SOC 1 Reports SOC 2 Reports SOC 3  Report
Under what professional standard is the engagement performed? 

SSAE No. 16, Reporting on Controls at a Service Organizatio

AT 101, Attestation Engagements using the trust services principles

 

 

AT 101, Attestation Engagements

 

 

What is the subject matter of the engagement?  Controls at a service organization relevant to user entities internal control over financial reporting. 

Controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy.

Controls at a service organization relevant to  security, availability, processing integrity, confidentiality, or privacy

What is the purpose of the report?  To provide information to the auditor of a user entity’s financial statements about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. The report provides information to your clients auditors relevant to their risk assessment procedures during their financial reporting engagements.  Service organizations that have an impact to their client's financial reporting should consider an SSAE 16 or SOC 1 report.

To provide management of a service organization, user entities and other specified parties with information an opinion about controls of a service organization system or systems that are relevant to the trust services principles that cover security, availability, processing integrity, confidentiality or privacy.

A SOC 2 report format is similar to a SOC 1 report, however the focus is on the trust services principles and not the impact to user entities financial reporting.

Same as the SOC 2, however the report deliverable is limited to the service auditors opinion and a system description.

What are the components of the report?

A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service organization’s system, the suitability  of the design of the controls, and in a type 2 report, the operating effectiveness of the controls.

Management's assertion attesting to the system description.

A description of the service organization’s system.

In a type 2 report, a description of the service auditor’s tests of the controls and the results of the tests.

A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service organization’s system, the suitability  of the design of the controls, and in a type 2 report, the operating effectiveness of the controls.

If the report addresses the privacy principle,  the service auditor’s opinion on whether the service organization complied with the commitments in its statement of privacy practices

A description of the service organization’s system.

In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests.

In a  type 2 report that addresses the privacy principle,  a description of the service auditor’s tests of the service organization’s compliance with the commitments in its statement of privacy practices and the results of those tests

A service auditor’s report on whether the entity maintained effective controls over its system as it relates to the principle being reported on i.e., security, availability, processing integrity, confidentiality, or privacy, based on the applicable trust services criteria.

If the report addresses the privacy principle the service auditor’s opinion on whether the service organization complied with the commitments in its statement of privacy practices 

Who are the intended users of the report? Auditor’s of the user entity’s financial statements, management of the user entities, and management of the service organization.

Parties that are knowledgeable about

•the nature of the service provided by the service organization

•how the service organization’s system interacts with user entities, subservice organizations, and other parties

• internal control and its limitations

• the criteria and how controls address those criteria

Anyone

For more on SOC reports, visit the AICPA SOC site at www.aicpa.org/soc

More Information