DEFINITION:
According to Jaruzelski, Ribeiro, and Lake (2014) they define ASP as “an organization
that provides a contractual service to deploy, host and manage applications for customers
remotely from a centralized location.”
AICPA defined Service Organization Control (SOC) Reports as “an internal control reports on
the services provided by a service organization providing valuable information that users need
to assess and address the risks associated with an outsourced service.”
According to Bourke (2012), SSAE 16 includes three broad types of SOC Reports and AICPA
(2014) differentiate the three as follows:
SOC 1 – reports on controls relevant to user entities internal control over financial
reporting
SOC 2 – reports on controls over security, availability, processing integrity,
confidentiality, or privacy
SOC 3 – reports, less-detailed but similar to SOC 2 reports