By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance, as well as financial reporting at those user entities.
To provide the framework for CPAs to examine controls and to help management understand the related risks, the AICPA is establishing three Service Organization Control (SOC) reporting options (SOC 1, SOC 2, and SOC 3 reports).
SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. SOC 1 reports focus solely on controls at a service organization that is likely to be relevant to an audit of a user entity’s financial statements. SOC 2 and SOC 3 engagements address controls at the service organization that relates to operations and compliance and are under AT 101. SOC 1, 2, and 3 reports represent significant changes in service organization reporting approaches brought about as a result of several important changes.