Reporting on Controls at a Service Organization (SOC)

As the demand for your company’s services increase, so do the requests from your customers for assurance. Assurance, that you’ve taken the steps necessary to protect the privacy and confidentiality of their data as well as the security, availability and processing integrity of your systems. You are not alone.  Looking to reduce infrastructure costs, many organizations are utilizing outsourcing and Cloud Computing solutions. Similarly, the demand for assurance of the integrity of these outsourced applications and functions has expanded as well.

As a service organization providing outsourced or cloud computing, you are an extension of your customers’ system of internal control and your customers rely upon you to protect them from the risk of fraud, unauthorized use of data, loss of data and violation of privacy.

The American Institute of Certified Public Accountants (AICPA) has provided the solution to demonstrate the reliability of your system of controls and to provide assurance to your customers by providing three Service Organization Control (SOC) reporting options, SOC 1, SOC 2 and SOC 3.

SOC Solutions Tailored for Your Needs

SOC 1 reports address controls at a service organization that are likely to be relevant to an audit of a customer’s financial statements.
SOC 2 and SOC 3 reports address controls at a service organization related to operations and compliance as identified in the AICPA’s Trust Service Principles.
The SOC 3 report is intended to be used as a marketing tool to an unrestricted expanded audience compared to that of a SOC 2 report.


By offering these three reporting options, the AICPA is providing a means to address your needs and the needs of your customers for assurance of your system of controls and their data.

Sensiba San Filippo’s Business Process Assurance Group can help you evaluate your needs and determine which SOC reporting option(s) will best serve your business and your clients.

Share This