If you are an IT sourcing professional or an attorney negotiating IT agreements, you have probably encountered the terms AT 101, SSAE No. 16, SOC, SOC1SM, SOC2SM and SOC3SM.  These are terms that are well understood by security professionals, but for the rest of us, here is a quick primer:

  1. What is AT 101? AT 101 refers to the professional attestation standards issued by the American Institute of Certified Public Accountants (“AICPA”) codified within AT Section 101, Attest Engagements and used by certified public accountants to examine and report on controls at service organizations other than financial reporting controls, such as information security and privacy controls.
  2. What is SSAE No. 16? SSAE No. 16 stands for “Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at Service Organizations” and is an attestation standard issued by the Auditing Standards Board (“ASB”) for auditors reporting on controls relevant to financial reporting.  SSAE No. 16 replaced the SAS 70 standard in June 2011.
  3. What is SOC? SOC stands for “Service Organization Control” and refers to one of three reporting options (SOC1SM, SOC2SM, and SOC3SM) under the reporting framework created by the AICPA to provide some transparency into the design and operational effectiveness of financial, operational, and compliance controls of service organizations. Each SOC report has a particular role and purpose, as outlined below. For additional information on the AICPA SOC framework, please consult the AICPA FAQs – New Service Organization Standards and Implementation Guidance.
    • SOC1  is an attestation examination conducted under SSAE16 No. 16, designed to report on controls relevant to financial reporting. There are two types of reports for SOC1SM engagements: SOC1SM Type 1, a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the control objectives, and SOC1SM Type 2, a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the control objectives. The key difference between the SOC1SM Type 1 report and the SOC1SM Type 2 report is that the Type 2 report includes the auditor’s opinion on whether the controls operated effectively, with a description of the tests performed by the auditor and the test results.
    • SOC2SM is an attestation examination conducted under AT-101 designed to report on controls relevant to the security, availability, or processing integrity of the service organization’s system or the confidentiality and privacy of the information processed by the service organization’s system, based on the AICPA and the Canadian Institute of Chartered Accountants’ Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.  As with SOC1SM, there are two types of reports for SOC2SM engagements: a SOC2SM Type 1 report (covering management’s description of a service organization’s system and only the controls’ design), and a SOC2SM Type 2 report (covering management’s description of a service organization’s system, the controls’ design as well as the operating effectiveness of the controls).
    • SOC3SM is an attestation examination conducted under AT 101 using the predefined criteria in the Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy that are also used in SOC2 SM engagements. SOC3SM reports can be issued on one or more of the five (5) Trust Services principles: security, availability, processing integrity, confidentiality and/or privacy. The key difference between a SOC2SM report and a SOC3SM report is that a SOC2SM report contains a detailed description of the tests performed by the auditor on the controls covered in the report, the test results and the auditor’s opinion on the description of the service organization’s system. By contrast, the SOC3SM report is a general use report (often posted on a service organization’s website) that provides only the auditor’s report on whether the service organization’s system achieved the Trust Services criteria, with no information on tests and results and no opinion of the auditor.

As described above, SOC1SM reports cover solely controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements while SOC2SM and SOC3SM reports address controls at a services organization relating to the service organization’s operations and/or compliance obligations. In practice, from an IT sourcing perspective, if you are looking to do due diligence on whether a service provider has proper controls in place to protect the confidentiality, security, and availability your information assets, you should ask for a copy of the service provider’s SOC2SM report.