Skip to main content

SOC 2 is the assurance standard for compliance, sustainability and outsourcing audits. SOC 2 deals with assurance of non-financial information. Service Organization Control Reports in accordance with certain criteria (Trust Service Principles/ sustainability guidelines) without impact on financial information should be audited in accordance with the ISAE 3000 standard. Outsourced services with impact on financial information of the user organization should be audited in accordance with ISAE 3402 | SOC 1 . The ISAE 3402 | SOC 1 standard is subject to the requirements of SOC 2 | ISAE 3000

SOC 2 and outsourcing

Service organizations provide services to user organizations. The user organization has outsourced services. For the user organization it is relevant how the service organization deals with security, risk management and internal control. If the service organization processes financial information for the user organization, ISAE 3402 is relevant. If no financial information is processed, SOC 2 might be relevant. If the user organization requires transparency on security procedures, the service organization might provide a service organization control report or SOC 2 report.

Cloud services and SOC 2

The application- and cloud services industry has grown in the past years. Software might be provided by SaaS (software-as-a-service-providers) and data is increasingly stored by cloud service providers (data centres). This growth of the outsourcing industry increased the demand over assurance and transparency of these services. User organization required information from service providers whether data is backed up properly and whether unauthorized access to critical data is not possible.

Trust Services Criteria

ISAE 3402 and outsourcing

SOC 2 report

Service organization report on these aspects by a SOC 2 report containing information on the internal processes and controls at the service organization. The SOC 2 report is audited by professional audit firms to provide assurance that the controls included are actually in place and operate effectively. SOC 2 requires the auditor to comply with ethical requirements (IESBA code), to apply Quality Control procedures and to be competent to perform the SOC 2 assurance engagement.

Type I and type II

SOC 2 recognizes two type of reports; a Type I report containing the control framework at a specific moment and a Type II report that describes the operational effectiveness of the control framework for a period of six months. For a Type I report an external CPA audits the controls on suitability of design and existence of the controls described. The external auditor reports also on operating effectiveness of the control framework for a predetermined period of minimum 6 months.


A Software-As-A-Service provider (SaaS-provider) hosts applications for the government (the user organization). The information processed in applications has no impact on financial reporting procedures. The government requires the SaaS-provider to report on the effective operation of security measures. The service organization control report provided by the SaaS provider will be audited by a professional accountant (CPA) in accordance with the SOC 2 standard. The service auditor states in the assurance report that the security measures exist (Type I) and operate effectively (Type II only). If the information processed in the applications has impact on financial information (e.g. annual report), ISAE 3402 | SOC 1 would be applicable.

Example Sustainability Reporting

A large retailer reports on sustainability. The criteria for sustainability and social responsibility are required by local government. An external auditor provides assurance with the sustainability reporting considering the criteria provided by government. Assurance is provided in accordance with the "ISAE 3000 standard. The users of the sustainability report know that the information in the report is accurate and all information is included. They also know that the information provided is in compliance with the relevant standards.

What are the requirements for ISAE 3000?

The requirements are included in the standard, which can be downloaded from the IFAC website. The standard includes the following components: Ethical requirements, Required planning and audit procedures Reporting requirements, Quality requirements an professional skepticism