In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide relating to system-level controls of a service organization or system- or entity-level controls of other organizations. Formerly, SOC referred to service organization controls. By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such organizations. It is important that both CPA professionals and service organizations communicate properly when discussing SOC services to avoid misunderstanding. The following communication guidelines identify the recommended use of commonly used terms.
The acronym “SOC” stands for “System and Organization Controls.” Its complete descriptive name should only be used on the first reference.
Correct: “System and Organization Controls (SOC) is a suite of services CPAs may provide…”
Incorrect: “Service Organization Controls (SOC) is a suite of services CPAs may provide...”
The terms SOC 1®, SOC 2®, and SOC 3® are registered and accepted marks. Accordingly, the ® symbol should only be used on the first reference. Additionally, the terms should be used as an adjective, not a noun or verb.
Correct: "We received a SOC 1® report for the 12-month period ended…"
Incorrect: "We received a SOC 1 report for the 12-month period ended..."
Do not abbreviate, pluralize, or otherwise modify the SOC marks. Similarly, using SSAE 16 SOC 2 is an inappropriate and inaccurate use of the mark as SSAE 18 superseded SSAE 16.
Correct: SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity, SOC for Supply Chain
Incorrect: SOC II, SOC-2, SOC 2, SYSTEM AND ORGANIZATION CONTROL 2, AICPA SOC 2, or the like.
For example, “Company announced that it recently completed its SOC-2 (System and Organization Control 2) examination.”
SOC examinations are not certifications. Therefore, the terms “certified,” “certificate,” or “certification” should not be used when referring to SOC examinations and reports. Similarly, a CPA firm providing its client with a certificate of completion inappropriately implies the SOC examination was a certification.
Correct: “Company announced that it recently completed its SOC 2 examination”
Incorrect: “Company completed a SOC2 compliance certification”
Specific details about the service auditor’s opinion should not be included in communications unless the complete SOC report package is provided, due to the risk of misunderstanding by the reader. Stating that an unqualified opinion was received without providing details on the types of controls included within the system does not provide the reader with the necessary information to meet his or her needs. Also, stating the organization received an unqualified opinion demonstrating that its controls meet or exceed SOC 2® requirements is unacceptable.
Correct: “Company recently received its first SOC 2® report on the organization’s controls relevant to security…”
Incorrect: “Company received an unqualified opinion on its SOC2® audit, which demonstrates that its controls meet or exceed the stringent SOC2 requirements.”
The AICPA’s SOC for Service Organizations logo should only be used if the organization has properly registered with the AICPA to use the logo and has complied with the terms and guidelines for use. A service organization that has properly registered with the AICPA may use the logo on its website to market its SOC 1®, SOC 2®, or SOC 3® report provided the logo is hyperlinked to www.aicpa.org/soc4so. The service organization is also required to cease using the logo if a new SOC report is not issued within 12 months. Service organizations can follow this link to review the terms, conditions, and guidelines for use of the SOC logo (PDF).