Service organizations may also obtain audits of specific defined control criteria that meet customer requirements beyond that of a SOC 1 report. SOC refers to the Systems and Organization Control 1, 2 and 3 reports released by the American Institute of Certified Public Accountants (AICPA).
The SSAE 18 serves as the guidance for the issuance of SOC 1 reports. The SOC 2 and SOC 3 audits are performed under the guidelines of AT 101.
Here is what you need to know about these reports:
- SOC 2 and SOC 3 reports specifically address risks around the following five Trust Principles (SysTrust and WebTrust principles):
- Processing Integrity
- These reports may include one or all of the Trust Principles
- Each Trust Principle has defined criteria (i.e. requirements) that must be satisfied
- Requirements for the SOC 2 and SOC 3 reports are defined by the AICPA
- The SOC 2 report is intended for limited distribution to knowledgeable parties, and can be issued as a Type I or Type II report
- The SOC 3 report results in the issuance of an opinion only. This report does not include a description of controls or tests performed