Accounting & Auditing Blog

SOC 1 Report, SOC 2 Report or SOC 3 Report: Which Does Your Company Need?

Your company will need a specific SOC Report based on the type of client information it controls. Here is more information on each type of report

SOC 1 Report: (Also known as SSAE No. 16) 

  • The SOC 1 is a report on controls at a service organization relevant to user entities’ internal control over financial reporting.
  • These reports are prepared in accordance with the AICPA Statement on Standards for Attestation Engagements no. 16 (SSAE no. 16).
  • Contents of the Report:

    • Description of service organization’s system
    • CPA’s opinion on fairness of description, suitability of design and operating effectiveness of controls
    • In type 2 report: Description of CPA’s tests of  controls and results

SOC 2 Report: (Also known as AT101)

  • The SOC 2 is a report on controls at a service organization relevant to non-financial controls.
  • These reports are prepared in accordance with the AICPA Attest Engagement (AT101), and use the AICPA guide Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy.
  • SOC 2 Reports can form an important part of the users’ oversight of the service organization; vendor management; and internal corporate governance and risk management.
  • Contents of the SOC 2 Report:

    • Description of service organization’s system
    • CPA’s opinion on fairness of description, suitability of design and operating effectiveness of controls
    • In type 2 report: Description of CPA’s tests of controls and results

SOC 3 Report: (Also known as AT101)

  • Similar to a SOC 2, a SOC 3 is a report on controls at a service organization relevant to non-financial controls.
  • These reports are also prepared in accordance with the AICPA Attest Engagement (AT101), and use the AICPA guide on Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy.
  • SOC 3 Reports are used for clients needing a statement relevant to non-financial controls, but do not need the level of detail provided in a SOC 2 Report. 
  • These reports provide companies with a Trust Services Report, more commonly referred to as SysTrust reports.
  • These reports are general use reports and can be freely distributed or posted on a website as a seal.
  • Contents of the SOC 3 Report:

    • CPA’s opinion on whether the entity maintained effective controls over its system. 
    • A SysTrust for Service Organization seal can be issued on a service organization's website. (Practitioners must be licensed by the CICA to use this registered certification mark.)

No-Risk Consultation
Would you like more clarification on what type of SOC Report your organization needs? We encourage you to fill out our form for a no-risk consultation or contact us at 440-449-6800.

This entry was posted in Accounting & Auditing, CPA & Business Advisory. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.
© Copyright 2016 Skoda Minotti | Privacy Policy | Disclaimer | Remote Support
Cleveland 440-449-6800 | Akron 330-668-1100 | Tampa 813-288-8826
Website designed and developed by Skoda Minotti Strategic Marketing