Copyright © 2024 Tango. All rights reserved. 7
2024 Lease Buyer's Guide to Lease Administration & Accounting
According to the AIPCA, "Service Organization Control
(SOC) reports are internal control reports on the
services provided by a service organization providing
valuable information that users need to assess and
address the risks associated with an outsourced
service." In other words, SSAE is used to regulate how
companies conduct business, and more specifically it
defines how companies report on compliance controls.
SOC 1 is an audit of internal controls at a service
organization that may affect their customers'
internal control over financial reporting. Clearly this is
something that is needed for lease financials and lease
accounting.
SOC 2 is a report that evaluates the business
information system that relates to security, availability,
processing integrity, confidentiality, and privacy.
The table below compares the various SOC reports.
SOC REPORT COMPARISON
Service Organization Control Reports
What It Reports On Who Uses It
SOC 1
Internal controls
over financial
reporting
User auditors &
users' controller's
office
SOC 2
Security, availability,
processing integrity,
confidentiality or
privacy controls
Management,
regulators & others.
Shared under NDA
SOC 3
Security, availability,
processing integrity,
confidentiality or
privacy controls
Publicly available
to anyone
For both SOC 1 and SOC 2 Reports, focus on Type II
since it reports an attestation of controls at a service
organization over a period of time, not a point in time,
as with Type I.
Leave it up to compliance organizations to make
things complicated, right? To cut through the jargon,
focus on ensuring whatever software provider you are
looking at has a SSAE No. 18 Report, including SOC 1,
Type II and SOC 2, Type II.
