FYI - Service Organizations—Service Auditors Define, Service Auditor: Practitioner who reports on controls at a service organization. Define, User Auditor: An auditor who audits and reports on the financial statements of a user entity. (In other words, the auditor of an entity that has outsourced the processing of its transactions to the service organization for whom such processing may be more efficient; the user auditor must consider relevant internal controls of the service organization in auditing the financial statements of such a user entity.) **Performance of test of control—If reporting on the operating effectiveness of internal control, the service auditor must perform appropriate tests of controls.** **An opinion can be rendered on Type 1 and It would disclaim an opinion on the operating effectiveness of the entity's internal controls. (Type 2 reports)**

**System and Organization Control Reports (called SOC Reports)** SOC 1 Report: “To give the auditor of a user entity's financial statements information about controls at a service organization that may be relevant to a user entity's internal control over financial reporting. A Type 2 SOC 1 report includes a detailed description of tests of controls performed by the CPA and results of the tests.” [Such a report must be restricted to specified users.] Note The service auditor's report under AT-C 320 is an SOC 1 report. SOC 2 Report: “To give management of a service organization, user entities and others a report about controls at a service organization relevant to the security, availability or processing integrity of the service organization's system, or the confidentiality and privacy of the data processed by that system. A Type 2 SOC 2 report includes a detailed description of tests of controls performed by the CPA and results of the tests.” [Such a report must be restricted to specified users.] SOC 3 Report: “To give users and interested parties a report about controls at the service organization related to security, availability, processing integrity, confidentiality or privacy. SOC 3 reports are a short-form report (i.e., no description of tests of controls and results) and may be used in a service organization's marketing efforts.” [This is the only SOC report that is appropriate for “general use”; the others must be restricted to specified users.]