The Failed Launch of Service Organization Controls (Formerly SAS70) Reports

On June 15, 2011, the Statement on Auditing Standards no. 70 or SAS70 report was replaced by three new reports called Service Organization Controls reports; SOC1, SOC2, and SOC3 that are based on the Statement on Standards for Attestation Engagements no. 16 or SSAE16 and AT101.

The change was prompted by several things, but among them was the need to clarify that SAS70 is not a certification, and there is no such thing as "SAS70 Compliant."  Watch this video from the American Institute of Certified Public Accountants (AICPA)

Below are Google Images search results on the term "SAS70" that exemplify the kind of misuse that existed in the market.

Only 6 months after the launch of SOC reports, the following logos are already appearing.

These just in:

Without some kind of intervention, it would appear that SSAE16 is bound for the same fate as SAS70.  I believe that we can help prevent that from happening by educating our clients about the assurance a SOC report provides, and encourage them to use the logos provided by the AICPA and CICA.


  1. HI Jon,
    Would be glad to see logos from AICPA and CICA. Also, cant a service organization market itself by saying that they have completed SOC-1 and SOC-2 reporting? What is the harm in that?

    Thanks very much for bringing all these insights.

    Really appreciate !! Keep it up

  2. Abhinav,

    Thank you for your comment. I will update the post with those logos. The problem I see with service organizations marketing themselves by creating their own seals/logos is that it dilutes the brand value of the AICPA and CICA trademarks. Imagine if a restaurant wanted to advertise that they sell Coca-Cola, but instead of using a real Coca-Cola sign, they designed and displayed their own sign with a completely different logo? I'm sure that the distributor would have a problem with that, and refuse to sell Coke products to them if they did not remove the sign.

    I sincerely appreciate your feedback and encouragement.

  3. Thanks John. I just saw the video and the logo in that which clearly states previously SAS70. I am looking at a article on the following

    1. Exact difference between SOC2 and SOC3 and what make SOC3 marketing compliant and not SOC2?

    2. If a service organization completes SOC2, getting him SOC3 will be just like removing some material from SOC2? Which I understand till now :) so that it can be distributed freely.

    3. Sample of reporting formats for SOC1, SOC2 and SOC3. I know this is difficult but may be if you can tell a bit on what all contents and structure of the reporting?

    You can answer these slowly.... No hurry.... just trying to explore things with you.... Thanks once again...


  4. 1. This is from the SOC reports brochure from the AICPA: "The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted use report, contains a detailed description of the service auditor’s tests of controls and results of those tests as well as the service auditor’s opinion on the description of the service organization’s system. A SOC 3 report is a general-use report that provides only the auditor’s report on whether the system achieved the trust services criteria (no description of tests and results or opinion on the description of the system)." The explanation the AICPA gives as to why the SOC3, and not the SOC2, is okay to use for marketing (available for general use) is that the SOC3 does not have the detail that could be misinterpreted by inexperienced users.
    2. Exactly.
    3. All of the report examples are given in the standards.
    SOC1 - AT801(Appendices A~C)
    SOC2 - AT101 (Appendix A)

  5. Thanks Jon, I am enjoying with my learnings... Thanks for this great contributions.

  6. Link to Trust services Criteria

    The documents tells everything on the questions i asked.

    Thanks Jon

  7. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or learn thru Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai