System and Organization Controls (SOC) Reporting is used by service organizations that provide critical, third-party outsourcing services to other companies. Examples of services provided by these organizations include; customer support, health care claims management, IT outsourcing services, and IT-based transaction processing, such as payroll processing.

Although these relationships may help companies increase revenues and reduce costs, they also introduce a new level of risk arising from interactions with the service organization and its systems.

While management can delegate responsibility for specific functions or processes to a service organization, management is still accountable for controls over those activities to shareholders, regulators, customers, boards of directors and other affected parties.

Since service organizations may have hundreds or even thousands of individual customers using their services, handling audit requests from that many customers would be overwhelming for the service provider. To help manage that audit process, the service organization can engage for an independent outside party to perform a review of their controls that are relevant to the security, availability, integrity and confidentiality of its systems. This is the concept of “audit once – serve many” reporting.

In this course, we will explore the types of SOC reports that are available and the scope/timing of testing that can be included in the SOC report.

Course Key Concepts: System and Organization Controls, SOC, SOC1 Type 1, SOC 1 - Type 2, SOC 2 - Type 1, SOC 2 - Type 2, SOC 3, SSAE18, Data Security, Data Availability, Data Integrity, Data Confidentiality, ICFR, Internal Control over Financial Reporting, Trust Services Criteria.

Learning Objectives
  • Discover and understand the evolution of the accounting standards that have preceded the current Statement on Standards for Attestation Engagements (SSAE) 18.
  • Recognize the differences between the various types of SOC reports.
  • Explore and understand the key terminology of the SOC reports.
  • Recognize the different sections of the SOC reports.
  • Discover how to review SOC reports with a focus on complementary user entity controls (CUECs).
Last updated/reviewed: August 19, 2023
9 Reviews (48 ratings)


Member's Profile
I thought this webinar was okay. The placement of the webcam could have been better; it blocked out pieces of the slides, so you couldn't see what they said underneath. To see what was there, I downloaded the slideshow from the left sidebar and followed along on my second computer screen. I was also surprised that the main focus was solely on SOC 1; I had expected to see more about SOC 2 and SOC 3 as well. It was still quite informative though.

Member's Profile
- In the test, using the full name of the item being question AND the acronym would be helpful, rather than just the acronym (i.e. CUEC.) - He has several lists of content that would have been nice to have on the slides.

Member's Profile
Very informative. In my position, I am required to review the reports and this provided great guidance. The checklist and sample were very useful to assist with what should be reviewed.

Member's Profile
Good overview and history of the changes in SOC reporting requirements. Based on the course title, I expected more information on SOC 2 reports.

Anonymous Author
Good course on SOC reporting and provided detailed content on the various components.

Anonymous Author
Very technical in nature. Disliked that the video box covered up parts of the slides.

Member's Profile
Great course. Checklist was very useful. Subject matter not easily found elsewhere.

Anonymous Author
Appreciate the supporting materials. Additional content on SOC2 would be beneficial.

Anonymous Author
Good summary overview of the SOC reporting process. Thanks for the information.

Course Complexity: Foundational
No advanced preparation or prerequisites are required for this course.
Education Provider Information
Company: Illumeo, Inc., 75 East Santa Clara St., Suite 1215, San Jose, CA 95113
Contact: For more information regarding this course, including complaint and cancellation policies, please contact our offices at (408) 400- 3993 or send an e-mail to .
Instructor for this course
Course Syllabus
  An Overview of System and Organization Controls (SOC) Reporting1:06
  Basic Concepts6:24
  Timeline of SOC Report Guidance10:12
  Two Types of SOC Reports1:16
  SOC Report-Key Terminology and Definitions15:20
  Breaking Down the SOC 1 Report5:14
  SOC 1 Report- Review Checklist14:36
  An Overview of System and Organization Controls (SOC) Reporting54:08
  Slides: An Overview of System and Organization Controls (SOC) ReportingPDF
  An Overview of System and Organization Controls (SOC) Reporting Glossary/IndexPDF
  CRU Sample SSAE18 ReportPDF
  SSAE18 SOC 1 Review ChecklistPDF