SOC Reports - SSAE 18 SOC1 and SOC2

One of the most effective ways a service organization can communicate information about its controls is through a Service Organization Control (SOC) report. A SOC 1 report focuses on controls at the service organization that would be useful to user entities and their auditors for the purpose of planning a financial statement audit of the user entity and evaluating internal control over financial reporting at the user entity. The SOC 1 report contains the service organizations system description and an assertion from management. In addition, the independent service auditor opinion or service auditor report is included. There are two types of SOC 1 reports: Type I and Type II. A Type I report is intended to cover the service organizations system description at a specific point in time. A Type II report not only includes the service organizations system description, but also includes detailed testing of the service organizations controls over a minimum six month period also known as Tests of Operating Effectiveness. SOC 2 and SOC 3 reports are designed to allow service organizations to communicate information about their system description in accordance with specific criteria related to availability, security, and confidentiality.