AICPA SOC FOR SERVICE ORGANIZATIONS
Terms, Conditions and Guidelines for Service Organizations
September 2020

The official AICPA SOC for Service Organizations – Service Organizations logo (the“SOC for Service Organizations – Service Organizations Logo”) is provided herein.The SOC for Service Organizations - Service Organizations Logo is owned by theAmerican Institute of Certified Public Accountants (“AICPA”). The AICPA hasestablished the following guidelines (the “Guidelines”) that govern your display anduse of the SOC for Service Organizations - Service Organizations Logo. In order todownload and use the SOC for Service Organizations - Service Organizations Logo,you will be required to complete and submit the registration page, by which act youare affirming that you have read, understand and agree to comply with these Guidelines.

Before downloading and using or displaying the SOC for Service Organizations -Service Organizations Logo, you must read and understand these Guidelines. TheseGuidelines are subject to change by the AICPA without prior notice. You areresponsible for maintaining familiarity with the current Guidelines during the courseof your usage or display of the SOC for Service Organizations – ServiceOrganizations Logo.

When may a service organization use or display the SOC for ServiceOrganizations - Service Organizations Logo?

A Service Organization may use or display the SOC for Service Organizations -Service Organizations Logo, provided it has had at least one of the following threeSOC for Service Organizations reports issued by a licensed CPA1:

1. SOC 1®– SOC for Service Organizations: ICFR

SOC 1® reports are examination engagements performed by a service auditorin accordance with AT-C section 320, Reporting on an Examination of Controlsat a Service Organization Relevant to User Entities’ Internal Control OverFinancial Reporting. SOC 1 reports are specifically intended to meet theneeds of entities that use service organizations (user entities) and the CPAsthat audit the user entities’ financial statements (user auditors), in evaluatingthe effect of the controls at the service organization on the user entities’financial statements.

1 In the attestation standards, a CPA performing an attestation engagement is ordinarily referredto as a practitioner. However, SOC 1®, SOC 2®, and SOC 3® engagements use the term serviceauditor rather than practitioner to refer to a CPA reporting on controls at a service organization.

The two types of SOC 1® reports are:

(i) Type 1 – A report on the fairness of the presentation ofmanagement’s description of the service organization’s system andthe suitability of the design of the controls to achieve the relatedcontrol objectives included in the description as of a specified date.

(ii) Type 2 – A report on the fairness of the presentation ofmanagement’s description of the service organization’s system andthe suitability of the design and operating effectiveness of thecontrols to achieve the related control objectives included in thedescription throughout a specified period.

Use of a SOC 1® report is restricted to the management of the serviceorganization, user entities, and user auditors.

2. SOC 2® - SOC for Service Organizations: Trust Services Criteria

SOC 2® reports are examination engagements performed by a service auditorin accordance with SSAE No. 18, Attestation Standards: Clarification andRecodification, which includes AT-C section 105, Concepts Common to AllAttestation Engagements, and AT-C section 205, Examination Engagements,and AICPA Guide SOC 2® Reporting on an Examination of Controls at aService Organization Relevant to Security, Availability, Processing Integrity,Confidentiality, or Privacy using predefined criteria in TSP section 100, 2017Trust Services Criteria for Security, Availability, Processing Integrity,Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria). SOC 2®reports can be issued for one or more categories (security, availability,processing integrity, confidentiality or privacy) (applicable trust servicescriteria).

The two types of SOC 2® reports are:

(iii) Type 1 – A report on management’s description of the serviceorganization’s system and the suitability of the design of the controls toprovide reasonable assurance that the service organization’s principalservice commitments and system requirements were achieved based onthe applicable trust services criteria;

(iv) Type 2 – A report on management’s description of the serviceorganization’s system and the suitability of the design and operatingeffectiveness of the controls to provide reasonable assurance thatthe service organization’s principal service commitments andsystem requirements were achieved based on the applicable trustservices criteria.

Use of a SOC 2® report is restricted to user entities, their auditors, and otherswho have the requisite understanding of the service organization.

3. SOC 3® - SOC for Service Organizations: Trust Services Criteria forGeneral Use Report

If a service organization needs a report that it can distribute freely, itmay ask the service auditor to also issue a SOC 3® report at the end ofthe SOC 2® examination. Unlike a SOC 2® report, a SOC 3® reportdoes not include a description of the system, so the detailed controlswithin the system are not disclosed. In addition, the SOC 3® reportdoes not include a description of the service auditor’s tests of controlsand the results thereof. Because a SOC 3 ® report is a general-usereport, it can be freely distributed by the service organization. Assuch, SOC 3® reports are often used to market a serviceorganization’s services to prospective customers and businesspartners.

How may you use the SOC for Service Organizations -Service Organizationslogo?

  • The SOC for Service Organizations - Service Organizations Logo may be used ordisplayed to market and promote your SOC 1®, SOC 2® or SOC 3® report(s),provided you comply with the requirements described in Paragraph 1 and thelogo is hyperlinked to www.aicpa.org/soc4so. Examples of ways in which the logomay be used and displayed include the following:
  • (a) on your website
    (b) in your marketing brochures, report packages or engagement proposals(c) inyourPowerPointpresentations
    (d) in your social media posts
    (e) in printed physical media, provided the www.aicpa.org/soc4so URL is
  • included in proximity to the placement of the logo.
  • You may use the SOC for Service Organizations - Service Organizations Logo onlyin the form downloaded from the email you receive after you complete andsubmit the registration form. You may not alter the logo in any manner exceptfor size.

When must you cease using/displaying the SOC for Service Organizations -Service Organizations Logo?

  • You may use of the SOC for Service Organizations - Service Organizations Logoonly for a period of twelve (12) months following the date of the SOC reportissued by a licensed CPA. If after twelve months a new report is not issued, youmust immediately cease use of the SOC for Service Organizations - ServiceOrganizations Logo.
  • You must cease use of the SOC for Service Organizations - Service OrganizationsLogo for any or no reason, upon sixty (60) days notice, which notice may bedelivered by posting on the AICPA website.
  • You must cease use of the SOC for Service Organizations - Service OrganizationsLogo if you fail to comply with these Guidelines and fail to cure such failure withinsixty (60) business days from receipt of notice from the AICPA.

Other Guidelines

7. You may not assign, sublicense or otherwise transfer any rights to use the3

Service Organization Logo to any third party, and acknowledge and agree thatany such attempted transfer would be void and unenforceable.

8. Upon the AICPA’s reasonable request, you will submit to AICPA copies of allmarketing materials and documentation bearing the Service Organization Logo,allow AICPA to inspect materials bearing the logo, and provide the AICPA withsuch information as the AICPA may reasonably require to monitor yourcompliance with these Guidelines.