Providing guidance on service organization control services

Companies today are increasingly using external service providers (service organizations) to perform key business functions. As a result, there is greater need for transparency in the service organization’s operations and internal controls. Warren Averett’s Service Organization Control reports are tailored to ensure external service providers receive the highest level of assurance over the effectiveness of their internal controls. We work with service providers to understand the requirements of their stakeholders and customers to determine the right solution to meet their needs.

The American Institute of Certified Public Accountants (AICPA) has identified three distinct categories of Service Organization Control examinations:  SOC 1, SOC 2, and SOC 3 reports. Below is an overview of each category:

SOC for Service Organizations: ICFR

SOC 1 examinations focus solely on a service organization’s controls that are likely to be relevant to their customer’s internal controls over financial reporting.  Common examples of service organizations that would be candidates for an SOC 1 include trust departments, payroll processors, retirement recordkeeping services, actuary services, and many others that provide outsourced services for which the controls are relevant to the user’s internal controls related to financial reporting.

SOC for Service Organizations: Trust Service Criteria

Instead of focusing on financial reporting, SOC 2 examinations follow Trust Services criteria established by the AICPA, which includes security, confidentiality, processing integrity, availability and privacy. SOC 2 reports are required to cover at least one of these Trust Services criteria. These criteria are integrated with the COSO Internal Control – Integrated Framework (2013) principles.


With the increasing pressure to demonstrate the management of threats from cybersecurity, organizations have to be able to show processes and controls related to detection, remediation and recover from such security events. The AICPA has developed this risk management reporting framework, complete with descriptive Criteria that allows senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts around protecting against cybersecurity risks.

SOC for Service Organizations

Trust Service Criteria for General Use Report Similar to an SOC 2 report, the SOC 3 report addresses one or more of the AICPA Trust Services Principles and criteria related to security, confidentiality, processing integrity, availability, and privacy. An SOC 3 is primarily performed for e-commerce service organizations, such as online retailers, who perform transaction processing over the Internet. The report is a general-use report that usually includes a public seal over the website or software.


In addition to the categories of System and Organization Control reports above, there are two types of each report:

  • Type I – Type I reports describe the service organization’s description of controls at a specific point in time. They do not include any tests of operating effectiveness, making them limited-use reports. They are most commonly used as first year SOC reports.
  • Type II – Type II SOC reports not only include the system and organization’s description of controls, but they also include tests of operating effectiveness. These reports generally cover a minimum of a six month period (although most are annual reports). The Type II offers the highest form of assurance of the SOC reports.


Since it is not in the best interest of our clients to have a service organization control examination performed prematurely, we offer Readiness Assessments that assist management in assessing their company’s readiness for an SOC examination.

“Warren Averett’s SOC services are truly top notch. They not only helped enhance our internal controls, they helped us improve our business.”

– Billy Bailey, Sterne Agee