United States

Service organization control reporting options


Organizations are increasingly outsourcing technology and business processes to service organizations, even processes that are core to their operations. When organizations outsource these tasks and functions, many of the risks of the service organization become risks of the user clients. With the increased reliance on cloud computing and other technology service offerings, service providers can maintain a competitive advantage by providing their clients comfort over controls, processes, policies, procedures and data integrity.

The AICPA established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports) that have replaced the SAS 70 and have provided a new mechanism for service providers to obtain assurance reports and maintain increased transparency for their clients. These new SOC standards are better aligned with the existing international standards and now have a common look and feel. SOC 1 or SOC 2 examinations can be either a type I or a type 2 examination. Type I examinations provide a Service organization's description of controls and an auditors opinion on whether the controls were designed effectively at a single point in time. Type II examinations include tests of the effectiveness of the controls over a period in time and can provide increased assurance for the clients and their auditors
SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements.
Comparison of SAS 70 to SSAE 16 (SOC 1)

Similarities to SAS 70 Differences From SAS 70
Scope is focused on controls that are likely to be relevant to user entities' internal control over financial.


The new standard is an assurance or U.S. attestation standard, not an audit standard. The service auditor’s report and particularly the opinion is different.
Type 1 and Type 2 reports may be issued by the service auditor. Management will be required to provide an assertion, which will be included in the report.
Service organization's description of controls under SAS 70 generally will provide a basis for the system description under SSAE 16. In a Type II report, all three assertions and opinions are for a period of time. (In an SAS 70 Type II report, the opinions on fairness of presentation and suitability of design are only as of the date at the end of the period).
Service auditor's report is restricted to service organization management, user entities of the service organization and the independent auditors of the user entities. Service auditor is required to disclose any use of the work of Internal Audit (or other management testing functions) within the report.
Complementary user controls are included for consideration by the user auditor  

SOC 2 and SOC 3 engagements, whose requirements are defined in the AICPA AT (Attestation Standards) Section 101, address controls at the service organization that relate to operations and compliance. A SOC 2 report is similar to a SOC 1 report in that either a type 1 or type 2 report may be issued and the report provides a description of the service organization’s systems and control environment. SOC 2 engagements use predefined Trust Services Principles and Criteria and specifically address one or more of the following five areas:

  • Security - The system is protected against unauthorized access (both physical and logical).
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing integrity - System processing is complete, accurate, timely and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP).

IT Risk Advisory professionals assist service organizations who need assurance on customer-facing systems in order to help satisfy the risk and compliance needs of their customers. Your team can provide assurance to service organizations and their clients through a report on controls relevant to financial reporting (SOC 1) or for areas including security, availability, processing integrity, confidentiality or privacy (SOC2 or SOC3).

For further information, please contact Brian Jennings, manager, RSM US LLP, 212.372.1981, or Andy Ellsweig, director, RSM US LLP, 212.372.1810.