Outsourcing: Service Organization Control (SOC 2 and SOC 3) Reports on Controls Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy


Executive Summary

This Legal Alert complements our Legal Alert dated May 19, 2011, relating to SOC 1 reports entitled Outsourcing: SAS 70 Superseded for Service for Service Provider Controls Reporting by SSAE 16 (SOC 1 Legal Alert) and completes our coverage of the new service organization control reporting framework (SOC 1, SOC 2 and SOC 3) established by the American Institute of Certified Public Accountants (AICPA).

Customers (user entities) engaging outsource service providers (service organizations) to perform services involving the collection, processing, transmitting, sorting, organizing, maintaining or disposing of user entity information expose themselves to additional risks associated with the system utilized by the service organization to deliver the services. The user entities and the management of these user entities remain ultimately accountable to the various regulatory bodies and user entities’ stakeholders (boards of directors, shareholders, customers, etc.) for the successful and compliant conduct of the user entities’ outsourcing arrangements with service organizations.

With the AICPA’s issuance of its Guide: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, updated May 1, 2011 (SOC 2 Guide), accountants for service organizations (service auditors) are now able to issue three service organization control reports in the AICPA framework – SOC 11, SOC 2 and SOC 32 reports. This framework of reports provides user entities’ management with tools to obtain certain assurances regarding the performance of outsource service providers’ service delivery systems.

Following the SOC 2 Guide, service auditors may issue SOC 2 type 2 reports on the service organization’s controls over its systems used to perform, provide and deliver the services to a specific user entity. SOC 2 type 2 reports have the flexibility to cover some or all of the five “trust services principles” – security, availability, processing integrity, confidentiality and privacy. Specifically, these reports contain (1) the service organization management’s description of the service organization’s system, (2) a detailed description of the service auditor’s tests of the operating effectiveness of the service organization’s controls, and (3) the results of those tests, which enable the user entity’s management to better assess, address and report on the risks associated with the outsourced services.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:


Eversheds Sutherland (US) LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.