For over 20 years, Certified Public Accountants have performed specialized audits of information technology (IT) internal controls at service organizations. During this time, a report by a CPA firm has become the standard for reporting on internal controls at a service organization as required by the U.S. Government, Security and Exchange Commission (SEC), the financial services industry, and standard contract terms with countless service organization users. One of the main reasons for this wide adoption has been that the professional standards that underpin these CPA reports provide customers with a basis for relying on the reports’ conclusions. The objective of these service organization reports (SOC) has been to provide the customers of service organizations, and the auditors of those customers, assurance over the effective operation of IT controls designed to address IT risk to information processing. To provide the framework for CPAs to examine controls and to help management understand the related risks, the American Institute of Certified Public Accountants (AICPA) established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports).