Service Organization Control (SOC) reports are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA), address the risks associated with an outsourced service.
An SOC 1 report details the organization’s internal controls over client-owned data involved in client financial reporting. Report usage is restricted and intended for organizations and the auditors who audit financial statements. SOC 1 reports are not intended for the general public.
SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
Reports and other documentation
A SOC 1 report may be provided for IBM services that have implemented controls in accordance with selected Trust Service Principles. The SOC report demonstrates that IBM has appropriately designed its controls for the selected Trust Service Principles and that the controls operated effectively for the report period.
The services listed below have an SOC 1 Type 2 report available, representing a period of time during which controls were assessed. As such reports represent an assessment period in the past, a bridge letter may accompany an SOC 1 Type 2 report, in which IBM attests to service control and continued performance since the last reporting period ended.
IBM Service Descriptions (SD) indicate if a given offering maintains SOC 1 Type 2 compliance status. Services below issue SOC 1 Type 2 reports at least once each year.