System and Organization Controls: SOC Suite of Services
System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.
Learn more about the SOC suite of services, below:
Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service
- SOC 1®— SOC for Service Organizations: ICFR
- SOC 2®— SOC for Service Organizations: Trust Services Criteria
- SOC 3® —SOC for Service Organizations: Trust Services Criteria for General Use Report
A reporting framework through which organizations can communicate relevant useful information about the effectiveness of their cybersecurity risk management program and CPAs can report on such information to meet the cybersecurity information needs of a broad range of stakeholders
An internal controls report on an entity's system and controls for producing, manufacturing or distributing goods to better understand the cybersecurity risks in their supply chains.
- Brochure Infographic: SOC Survey Results. The AICPA staff conducted a survey of over 400 firms to gain an understanding of the market for SOC and third-party assessment services.
- Whitepaper: Implications of the Use of Blockchain in SOC for Service Organization Examinations
- FAQs - SOC 2® and SOC 3® Examinations To provide nonauthoritative guidance on selected practice matters raised by members in connection with SOC 2® and SOC 3® examinations.
- Whitepaper: Materiality considerations for attestation engagements involving aspects of subject matters that cannot be quantitatively measured
- FAQs — SOC 1® and SOC 2® Issues Arising From COVID-19
To assist service auditors with performing and reporting on SOC 1 and SOC 2 examinations during these uncertain times, the AICPA staff has prepared this nonauthoritative guidance.
- Exposure Draft: Proposed description criteria for a desctiption of an entity's production, manufacturing, or distribution system in a SOC for supply chain report
- Brochure: SOC 2® and SOC for Cybersecurity: How they’re different and how they can help.
- Whitepaper: SOC 2® examinations and SOC for cybersecurity examinations: Understanding the key distinctions
- Mappings relevant to the SOC Suite of Services
- SOC Communications Guidelines
Formerly, SOC referred to service organization controls.