System and Organization Controls

From Wikipedia, the free encyclopedia

System and Organization Controls (SOC), (also sometimes referred to as service organizations controls) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles.[1] The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

Trust Service Principles[edit]

SOC 2 reports focus on controls addressed by five semi-overlapping categories called Trust Service Principles which also support the CIA triad of information security:[1]

  1. Security
    • Firewalls
    • Intrusion detection
    • Multi-factor authentication
  2. Availability
    • Performance monitoring
    • Disaster recovery
    • Incident handling
  3. Confidentiality
    • Encryption
    • Access controls
    • Firewalls
  4. Processing Integrity
    • Quality assurance
    • Process monitoring
    • Adherence to principle
  5. Privacy
    • Access control
    • Multi-factor authentication
    • Encryption



There are two levels of SOC reports which are also specified by SSAE 18:[1]

  • Type I, which describes a service organization's systems and whether the design of specified controls meet the relevant trust principles. (Are the design and documentation likely to accomplish the goals defined in the report?)
  • Type II, which also addresses the operational effectiveness of the specified controls over a period of time (usually 9 to 12 months). (Is the implementation appropriate?)


There are three types of SOC reports.[2]

  • SOC 1 – Internal Control over Financial Reporting (ICFR)[3]
  • SOC 2 – Trust Services Criteria[4][5]
  • SOC 3 – Trust Services Criteria for General Use Report[6]

Additionally, there are specialized SOC reports for Cybersecurity and Supply Chain.[7]

SOC 1 and SOC 2 reports are intended for a limited audience – specifically, users with an adequate understanding of the system in question. SOC 3 reports contain less specific information and can be distributed to the general public.


  1. ^ a b c "SOC 2 Compliance". Imperva. Retrieved 25 February 2020.
  2. ^ "System and Organization Controls: SOC Suite of Services". AICPA. Retrieved 2020-03-06.
  3. ^ "SOC 1 – SOC for Service Organizations: ICFR". AICPA. Retrieved 2020-03-06.
  4. ^ "SOC 2 – SOC for Service Organizations: Trust Services Criteria". AICPA. Retrieved 2020-03-06.
  5. ^ "2018 SOC 2® Description Criteria (With Revised Implementation Guidance – 2022)". Retrieved February 27, 2023.{{cite web}}: CS1 maint: url-status (link)
  6. ^ "SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report". AICPA. Retrieved 2020-03-06.
  7. ^ "System and Organization Controls: SOC Suite of Services". AICPA. Retrieved 2023-02-22.

External links[edit]