1. Services
  2. Risk Advisory
  3. System and Organization Control Reporting (SOC)

SSAE 16 / SSAE 18 / SOC 1,2,3
As business becomes more specialized, many companies are extending their reach by leveraging the abilities of other companies through outsourcing and cloud computing. The challenge is to ensure that adequate internal controls are in place at outsourcing companies. A Service Organization Controls (SOC) report attests to the service organization's controls.

Statement on Standards for Attestation Engagements 18 (SSAE 18) was created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) to define how service companies report on compliance controls.

There are three types of SOC reports to meet the specific needs of different service organizations:

The SOC 1 report is specific to the service organization's internal controls, likely relevant to financial reporting or internal controls over financial reporting. The report is restricted to existing user entities and their financial auditors and is not intended for potential customers.

The SOC 2 report covers controls beyond financial reporting, such as operational risks. Specifically, the report details one or more of the following five AICPA Trust Services Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy.

The SOC 1 and SOC 2 reports come in two forms. In the form of a type I report or a Type II report. Type I reports evaluate whether controls are in place and operating effectively at a specific point in time. While Type II reports evaluate whether controls are in place and operating effectively for a period of time.

The SOC 3 also utilizes the AICPA Trust Services Principles and Criteria, but the report does not include a detailed description of the system's controls. There are no restrictions on the distribution of the report. SOC 3 reports can also be delivered in the form of a seal, which can be displayed on the service organization's website.

Our Approach

GJM has experience not only producing SOC reports, but also assessing SOC reports for appropriateness and risks.

Our team can provide:

  • Guidance on helping determine the right SOC report for your organization
  • An initial SOC readiness assessment based on your organization’s needs to help pinpoint areas of improvement to ensure you organization is ready for a SOC report
  • Issuance of a SOC report that evaluates your organization’s control environment
  • Assistance in reviewing another organization’s SOC report(s) to determine the impact to your organization that relies on the service and or application
  • Development of narratives, processes and guidelines that assist in the creation of the SOC report
Our Approach Risk Advisory

Questions? Ask an Expert

Adele Jasion


Navigation Opened. Press tab to navigate the menu.