A question that often comes up from service organizations and service auditors is this “Who can management distribute the report too?” The answer lies buried in the AICPA’s audit guides and is different depending on the type of service organization control (SOC) audit report.
SOC 1 (formerly SSAE 16) Audit Report – Paragraph 5.96 of the 2011 SSAE 16 audit guide states that “A practitioner should consider informing his or her client that restricted-use reports are not intended for distribution to non-specified parties…” Service auditors should give the completed reports to management of the service organization. In turn management should give the report to their clients (eg, existing user organizations). In any case, a practitioner is not responsible for controlling a client’s distribution of restricted-use reports.
SOC 2 (AT 101) Audit Report – Paragraph 4.44 of the 2012 audit guide states that ” Management of a prospective user entity may need to obtain an understanding of a service organization’s system related to security, availability, processing integrity, confidentiality, or privacy and the historic operating effectiveness of controls at the service organization, either as part of its vendor selection process or to comply with regulatory requirements for vendor acceptance.” In short, management of the service organization may give the report to prospective user organizations (ie, prospective clients).
In summary – SOC 1 reports can go to users; SOC 2 reports can go to users + prospective users. Here is a link to the AICPA’s website to purchase these audit guides discussed.
Newel Linford is the co-founder of Linford & Co., LLP, the Managing Partner, and specializes in SOC and royalty examinations. He started his career with Ernst & Young in 1997. He has lectured at Data Center World, Rocky Mountain Area Conference for Finance & Accounting Professionals, University of Denver, and University of Colorado Boulder. He works closely with his clients so that the examinations meet the public needs and are performed in accordance with professional guidance.