08-19-11 | Blog Post

Service Organization Control Reports: SOC 1, SOC 2 & SOC 3

Blog Posts

In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the replacement of SAS 70 by a new and refined auditing standard, the Statement on Standards for Attestation Engagements or SSAE 16. While SAS 70 was originally intended for financial and accounting auditing, the SSAE 16 audit was established to verify data center operational and security excellence.

In addition to SSAE 16, three new reports have also been established as the framework for examining controls at a service organization, aptly named Service Organization Control (SOC) reports. While the SOC 1 report is mainly concerned with examining controls over financial reporting, the SOC 2 and SOC 3 reports focus more on the pre-defined, standardized benchmarks for controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. SOC 2 examines the details of data center testing and operational effectiveness. According to AICPA.org, these reports are very in-depth and useful for:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

SOC 3 is for public use, and provides the highest level of certification and assurance of operational excellence that a data center can receive. A SOC 2 report includes auditor testing and results, while SOC 3 provides a system description and the auditor’s opinion.

For further clarification, see the chart below, comparing the details and use of each type of service organizational control report.

SOC 1 Internal controls over financial reporting User auditor and users’ controller’s office
SOC 2 Security, availability, processing integrity, confidentiality, or privacy controls Shared under NDA by management, regulators, and others
SOC 3 Security, availability, processing integrity, confidentiality, or privacy controls Publicly available to anyone


Why is this important for data center users? Even AICPA agrees it’s more efficient and cost-effective for companies to outsource to data centers that provide cloud computing or managed security, since they already have the experienced personnel, expertise, equipment and technologies in place to accomplish the basics of data hosting and security.

To mitigate risks associated with outsourcing your data hosting infrastructure, the AICPA suggests comparing SOC reports from a variety of vendors to make an informed decision when trusting service organizations with the security of your company’s critical information.

Get more information about SOC 2 hosting and SOC 2 data centers, and read more about the differences between SAS 70, SSAE 16 and SOC.

Related Links:
American Institute of CPAs (AICPA) – SOC Reports (formerly SAS 70 reports)
SSAE 18 vs SSAE 16: Key differences in the new SOC 1 standard
SOCs and SASs: The New Standards for Service Organization Controls Reporting

Read about other data center audits in:

Data Center Standards Cheat Sheet – From HIPAA to SOC 2
With the confusion regarding what audits and auditor reports apply to certain aspects of data center standards, I felt the need to create a basic data center/hosting solution audit cheat sheet to simplify matters. Here’s your comprehensive guide to data center audits and reports. …(continue reading)

What is a Service Organization Control (SOC) 2 Report?
Introduced in 2011, Service Organization Control (SOC) reports are becoming more and more popular in data security and compliance discussions with every passing year, especially SOC 2. …(continue reading)

SAS 70, SSAE 16, SOC 2 and SOC 3 Data Center Standards
SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years.  First released in 1992, it has been the gold standard…(continue reading)


Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved