Advisory – Sorting out “SOC”s – Which Report Your Service Providers Should Make Available

From Robert Kluba, Technology Practice Director, AuditOne Inc.

Your services providers that store or process information should provide you each year with a SOC (Service Organization Controls) report.  If the information they handle relates to your financial statements, then a SOC 1-SSAE 16 must be provided. The SOC 1 – SSAE 16 replaces the SAS 70 and is the only SOC report that opines on the processing as it relates to your financial reporting.

If the service provider is not used for financial statement related processing, but handles corporate information in other regards, then a SOC 2 or SOC 3 report is necessary. For example if the service firm provides secure storage of data or cloud based services, then the firm should provide an annual SOC 2 or SOC 3 report. The SOC 2 or SOC 3 report would provide you documented assurances that the operational safeguards protect your firm as the service relates to either: processing security, availability, processing integrity, confidentiality, or privacy. One or more of these five principles would be covered in a SOC 2 or SOC 3 as it applies to the processing service your vender provides.

SOC 1 – SSAE 16

Four years ago the American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework, and replaced SAS 70 with the SOC 1 – SSAE 16. Under the new framework, service organizations that handle financial data or affect the financial reporting of your firm would now receive a SOC 1 – SSAE 16 audit and report.  This review can be a “Type I or Type II” review. Type I reports on the suitability of the controls, while Type II also tests the effectiveness of the controls.


The SOC 2 Report focuses on internal controls related to the five AICPA Trust Principles: 1) security, 2) availability, 3) processing integrity, 4) confidentiality, and 5) privacy. A firm may select one or more of these principles to be reviewed. As with SOC 1 – SSAE 16, an organization can receive a SOC 2 review that is either a Type I or a Type II.


SOC 3 is a summary report that documents assurances on the internal controls related to the selected AICPA Trust Principles (security, availability, processing integrity, confidentiality, or privacy) but without detailed description of tests and results contained in a SOC 2. In addition, the SOC 3 report can be publically displayed on your web site, or provided to potential clients without an NDA (as required with the SOC 1 or SOC 2 reports).

AuditOne Inc. Delivers Effective and Efficient SOC Audits

AuditOne Inc.’s skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SOC/ SSAE16 services in the industry. Please contact myself or Bud Genovese to review how we can make the SOC/ SSAE 16 audit an effective and efficient experience for your firm. I will be more than happy to help you understand why AuditOne Inc.’s user-friendly process and focus, makes it the market-leading smart choice.