SOC 1 Report

A SOC 1 Report (Service Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance.

Please see the following articles discussing the SSAE 16 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:

Differences between SAS 70 and the new standards, SSAE 16 and ISAE 3042:

  1. Management of the Service Organization will be required to provide the service auditor with a written assertion about the following, when performing either a Type I or Type II engagement, which the service auditor will then attest to:
    • The fairness of the presentation of the description of the service organization’s system;
    • The suitability of the design of the controls to achieve the related control objectives stated in the description; and
    • The operating effectiveness of those controls to achieve the related control objectives stated in the description (Type II Only)
  2. During the process of understanding the service organization’s system, the Service Auditor would be required to obtain information that would identify risks that the description of the service organization’s system is not fairly presented or that the control objectives stated in the description were not achieved due to intentional actions by service organization personnel.

Remember: Although the reporting standard is SSAE 16 or ISAE 3204, the report that you will receive will be a SOC 1!

SOC 2 and SOC 3 – Additional Reporting Options

In addition to the SOC 1 report which is restricted to controls relevant to an audit of a user entity’s financial statements, the SOC 2 and SOC 3 reports have been created to address controls relevant to operations and compliance.

  • SOC 2 Report – Trust Services Principles – The Service Organization Control (SOC) 2 Report will be performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls (just like SOC 1 / SSAE 16)….read more
  • SOC 3 Report – WebTrust and SysTrust – The SOC 3 Report is also based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report is permitted to be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system)….read more

5 comments

  1. Woh! What an interesting blog. This blog helped me to know more on the SOC report that is Service Organization controls. It clearly explained the SOC report. In addition to that, another option is also being discussed called as SOC 1 and SOC 2. I expect similar posts.

  2. Studio Guggino releases SSAE 16 REPORT I and II TYPE.
    If you are interested it, contact us…

  3. It has better performance than the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance. Thanks a lot for this great guide.

  4. Thanks for the update on the SOC.

  5. Chicago seo agency

    architecture, server side issues, code optimization, other channel marketing that affects SEO (social media, news search, blog search, etc), ongoing content development, ongoing link building, web analytics and conversion analysis. It is important that the website is not seen as low quality or like a duplicate of something else altogether.