AICPA SSAE 16 Report Comparison – SOC 1 vs. SOC 2 vs. SOC 3

The American Institute of Certified Public Accountants (AICPA) recently developed a Service Organization Control (SOC) Toolkit for firms that perform SOC engagements and their clients. The toolkit was developed to help firms navigate this emerging service area and help clients, prospects and service organizations understand the benefits of SOC engagements.

The toolkit includes a number of free SOC resources and can be found at:

Following is an excerpt from the toolkit related to the change from SAS 70 reports to SOC reports:

Many service organizations and other entities are familiar with SAS 70 reports — reports prepared following the CPA profession’s Statement on Auditing Standards No. 70, Service Organizations. Innovations in technology and the increasing use of outsourcing have led to these reports being used in ways that were never intended. Specifically, SAS 70 engagements were not designed to examine compliance and operational issues, such as security, availability, processing integrity, confidentiality or privacy. Moreover, “SAS 70 Certified” and “SAS 70 Compliant” were terms that gained traction in the marketplace, but in actuality were not part of a SAS 70 report.


Recently, the American Institute of CPAs released a new series of reporting options, called SOC reports that enables CPAs to provide assurance on internal controls over subject matter other than financial reporting while filling the marketplace’s need to demonstrate reliability and mitigation of risk.

Differences between the reports: SOC 1 vs. SOC 2 vs. SOC 3

Our firm receives quite a few questions from clients and prospective clients related to which service organization control (SOC) report is relevant to their environment. To help clients, prospects, and service organizations determine which type of SOC report to get, the AICPA has published the SOC Report Comparison Flyer. The flyer provides descriptions for each type of SOC report and also compares and contrasts the differences between each report type to aid service organizations in determining which report is right for them. If you are a service organization that is trying to decide which SOC report is right for you, be sure to use the free guidance provided by the AICPA to make sure you get it right.

Leave a Reply

Your email address will not be published. Required fields are marked *