In 2011, the American Institute of Certified Public Accountants (AICPA) approved the Service Organization Control report framework (SOC framework). According to the framework, Certified Public Accountants (CPAs) can issue reports on the quality of certain internal controls of Service Organizations in the form of reports of three types - SOC 1, SOC 2 and SOC 3.
In 2017, the principles set out in the Service Organization Control report framework were harmonized with the internal control framework of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and now obtaining an SOC report is equivalent to receiving an independent auditor's report on the company's internal control system. COSO Internal Control Integrated Framework.
The auditor meets with the company's staff, gathers evidence of the effective design and operation of certain controls that will be covered by the SOC report, compiles the Report and provides it to the customer.
The difference is that the list of controls that need to be analyzed and evaluated is clearly defined by the Service Organization Control report framework. The customer must determine the type of Report (SOC 1, SOC 2 or SOC 3) and the list of domains that will be covered by this Report (Security, Availability, Processing integrity, Confidentiality, Privacy) in the case of SOC2 or SOC3, usually from the needs of users a report will be provided.
As a result of the auditor's work, the Customer receives an SOC report in an agreed format (printed or electronic).