Service Organization Controls Report (SOC) is an audit report issued by an independent auditor about the design and implementation of internal controls, and potentially the operating effectiveness of internal controls for a specified period of time. These reports are used to enhance a trusting relationship between business parties.

In our business world today, businesses are becoming more and more interdependent on each other.  For example, auto makers rely heavily on car dealerships to sell their cars, and insurance companies rely heavily on insurance agents or administrators to manage insurance policies. A third party organization that provides services for another entity is called a service organization. An entity that uses a service organization is called a user entity. Lack of a trusting, effective and efficient relationship between the service organization and a user entity is detrimental to an organization of any size. One such incident occurred in 2008 to Heartland Payment Systems, a credit card processing company, in which an estimated 130 million customer accounts were compromised: all of Heartland’s partners were affected because of its breach.


As a result of these interdependencies, the American Institute of Certified Public Accountants (AICPA) has put forth a comprehensive framework, Service Organization Control (SOC) Reports, which helps built trust between service organizations and user entities.  These reports are known as SOC 1, SOC 2, and SOC 3 Reports.  The SOC Framework was established to help clarify and bring needed transparency in regards to reporting on controls at service organizations. These reports have been widely used to help service organizations retain current customers and attract potential customers.


There are five components to a typical SOC report. They include the following:


Management Assertion Letter issued and signed by Service Organization’s management stating their assertions regarding the descriptions of the systems included in the report.


Independent Auditor’s Opinion Letter issued and signed by independent auditor regarding the design, narrative, and, if a Type II report, the operating effectiveness of the controls.


Management’s Description of the System Narrative written by Service Organization’s management regarding the system.


Results of Testing (Only applicable to Type II report) Table that describes the objective/criteria, the related controls that address the objective/criteria, testing performed by auditor, and the results of testing performed.


Other Information (Not required) Narratives or tables prepared by Service Organization on information not included in the report or opined on by the auditor (i.e. future plans, other services provided, qualitative information)



If you would like to learn more about these SOC audits or receive a free 2-hour consultation regarding your organization’s SOC readiness, please contact Andrew Wan at or by phone at 801-313-1900.