Auditing Standards


Service organizations should maintain accurate and reliable internal controls. The American Institute of Certified Public Accounts (AICPA) accounting and auditing standards are designed to ensure the integrity and reliability of reporting of those internal controls with a trusted, independent evaluation of the control processes by chartered and certified public accountants, as well as information technology subject matter experts.

SOC Reporting Information and standards

Service Organization Control 1 (SOC 1)

SSAE 16, completed under AT 801, Reporting on Controls at a Service Organization

AICPA Guide, Service Organizations, Applying SSAE 16 (SOC 1SM)

The Report is Restricted Use
(for both type 1 and type 2)

Description of service organization’s system

CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls

A type 2 report includes a description of the CPA’s tests of controls and results

Controls likely to be relevant to user entities financial statements

Service organization Control report 2 (SOC 2)

AT 101, Attestation Engagements

AICPA Guide, Reporting on Controls at a Service Organization (SOC 2SM)

The Report is Restricted Use
(for both type 1 and type 2)

Description of service organization’s system

CPA’s opinion on the fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls

A type 2 report includes a description of the CPA’s tests of controls and results

Controls over the security, availability and processing integrity of a system and the confidentiality and privacy of information processed by the system. Read our SOC 2 audit guide here.

 

Service organization control report 3 (SOC 3)

AT 101, Attestation Engagements

AICPA Technical Practice Aid, Trust Services Principles, Criteria and Illustrations

The Report is for Public Use

An unaudited system description used to delineate the boundaries of the system

CPA’s opinion on whether the entity maintained effective controls over its system

Controls over the security, availability and processing integrity of a system, and the confidentiality and privacy of information processed by the system