SOC Reports: Why, Who and How

July 18th, 2012
Sourcing & Procurement

article courtesy of Smith & Howard

The number of businesses that outsource certain tasks and functions to service organizations, like payroll processing and credit card processing, has grown by leaps and bounds over the past several years. While both sides – the businesses doing the outsourcing and the service providers – benefit, there is an increasing need to ensure that such providers have internal controls in place, provide adequate safeguards of data and information and have demonstrated a level of trust and commitment to compliance that the outsourcing business and its customers can rely upon. Hence, the Service Organization Control (SOC) report.

Created by the American Institute of Certified Public Accountants, SOC reports provide assurance over financial controls and controls relevant to:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

SOC reports examine and report on different areas of controls and have graduated allowable uses; businesses can determine the most advantageous approach for them, and should consider not only the assurance of security of data, and how different levels of SOC reports can positively affect their ability to market their business against their competitors.

Following is a quick look at the three available SOC reports:

  1. A SOC 1 report results from an engagement under a new Statement on Standards for Attestation Engagements, SSAE 16 – Reporting on Controls at a Service Organization. SSAE 16 examines internal controls at a service organization that impact a user entity’s controls over financial reporting. This report is to be used only by the external auditors of user organizations and the management of user entities. SSAE 16 requires the same level of evidence and assurance expected under the former SAS 70 service auditor engagement. It essentially fills the role of a SAS 70 report as it was originally intended.
  2. SOC 2 reports provide detail on controls at a service organization covering security, availability, processing integrity, confidentiality or privacy. Its use is generally restricted to certain identified users who, among other things, have some knowledge of the nature of the services that the service organization provides. The SOC 2 report can offer greater assurance to customers and stakeholders about internal controls in areas that were not meant to be covered by the former SAS 70 report.
  3. SOC 3 reports are Trust Service examination reports. They address the same subject areas as a SOC 2 report, but in a shortened version (about one page, in fact) that can be used in a service organization’s promotional efforts and on its website. SOC 3 reports can serve as a marketing tool, with potential customers for instance, to show the organization has appropriate controls in place to mitigate risks.


As SOC –certified accountants, Smith & Howard’s team takes a streamlined approach to SOC engagements. Users of SOC reports should make sure they are working with a firm that provides the same approach in order to get a final report that meets the needs of the end users. Our approach includes:

  • Performing readiness assessment
  • Understanding the business, processes and control environment of the service organization
  • Documenting our examination procedures to provide assurance on controls
  • Designing and testing the controls in operation for the business to confirm controls are in place and operating effectively
  • Reporting the results of testing only after rigorous review, to ensure the quality of our final report.

For details on the levels of SOC reports, certifications available to companies looking to market their SOC certification or any other questions about SOC engagements, please call Marvin Willis or Debbie Risher at 404.874.6244, or email