Service Organization Reports Comparison: SOC 1, SOC 2, SOC 3

The chart below provides the alternative name, typical industries subject to, criteria to evaluate, components of the report, users of the report, and the necessity of a seal of completion for the Organization Reports: SOC 1, SOC 2, SOC 3.

Feature

SOC 1

SOC 2

SOC 3

Alternate Name

SSAE 16

AT 101

Trust Services

Companies Typically Subject To Examination

Service Organizations which affect the internal control over financial reporting of their User Entities.

Service Organization which provides an outsourced service but does not affect the internal control over financial reporting of their User Entities.

Service Organization which provides an outsourced service but does not affect the internal control over financial reporting of their User Entities.

Criteria to Evaluate Service Organization

No Predefined Criteria

Predefined Criteria such as Trust Services, ISO/IEC can be used.

Predefined Trust Services Criteria

Components of Report

1. Auditors report2. Detail system description3. Management assertion

4. Management controls

5. Auditor tests of controls and results of those tests – control objectives

1.Auditors report2.Detail system description3.Management assertion

4.Management controls

5.Auditor tests of controls and results of those tests – criteria

1.Auditors report2.Detail system description3.Management assertion

Intended Users of Report

Service Organization Management, User Entity Management, User Entity’s Auditors (Restricted Use Report)

Generally Service Organization Management and User Entity Management (Restricted Use Report)

Anyone (General Use Report)

Seal Issued Upon Completion of Engagement

No Seal Issued

No Seal Issued

Seal Issued Which Can Publicly Appear on Service Organization Website