A question that often comes up from service organizations and service auditors is this “Who can management distribute the report too?” The answer lies buried in the AICPA’s audit guides and is different depending on the type of service organization control (SOC) audit report.
SOC 1 (formerly SSAE 16) Audit Report – Paragraph 5.96 of the 2011 SSAE 16 audit guide states that “A practitioner should consider informing his or her client that restricted-use reports are not intended for distribution to non-specified parties…” Service auditors should give the completed reports to management of the service organization. In turn management should give the report to their clients (eg, existing user organizations). In any case, a practitioner is not responsible for controlling a client’s distribution of restricted-use reports.
SOC 2 (AT 101) Audit Report – Paragraph 4.44 of the 2012 audit guide states that ” Management of a prospective user entity may need to obtain an understanding of a service organization’s system related to security, availability, processing integrity, confidentiality, or privacy and the historic operating effectiveness of controls at the service organization, either as part of its vendor selection process or to comply with regulatory requirements for vendor acceptance.” In short, management of the service organization may give the report to prospective user organizations (ie, prospective clients).
In summary – SOC 1 reports can go to users; SOC 2 reports can go to users + prospective users. Here is a link to the AICPA’s website to purchase these audit guides discussed.