System and Organization Controls (SOC) is an independent assessment of the control tools and reporting of System and Organization Controls (SOC, formerly Service Organization Controls). This report format was approved in 2011 by the American Institute of Certified Public Accountants (AICPA), who can issue reports on the quality of certain internal controls of Service Organizations (three types of reports – SOC 1, SOC 2 and SOC 3).
SOC Report 1 – this is a report on the results of the audit of the control system over the processing of data related to the formation of financial statements.
– intended for owners and managers of service organizations, clients of service organizations, auditors of financial statements of clients.
SOC Report 2 – report on the results of the audit of the non-financial control procedures of the organization, conducted in accordance with the selected criteria of the Trust Service Principles (security, availability, integrity of processed data, confidentiality, protection of personal data).
– is intended for owners and managers of service organizations and clients of service organizations.
SOC Report 3 contains the information of the SOC 2 report, except for a detailed description of the controls, products and systems prepared by the organization’s management, a description of the audit tests performed or their detailed results.