The Service Organization Controls (SOC) reporting options are valuable tools for service organizations. Reporting options include the SOC 1, SOC 2, and SOC 3 described below.

The Service Organization Controls (SOC) reporting options are valuable tools for service organizations. Reporting options include the SOC 1, SOC 2, and SOC 3 described below.

SOC 1 reports

The attestation standard for SOC 1 reporting engagements provides user organizations with a strong sense of comfort about the outsourced services performed by service organizations on their behalf which are relevant to their financial reporting.

  • Purpose: Reports on the controls of the service organization that are relevant to the user organization's financial reporting.
  • Scope: Operational controls related to the accuracy of financial data and information technology general controls.
  • Audience: User organization's financial executives, compliance officers and financial statement auditors

SOC 2 and 3 reports

Established to address other types of third-party risks outside of financial reporting, SOC 2 and 3 reports provide user organizations with assurance over the critical systems and sensitive data used to provide the outsourced services. While the two options have similar scope, a SOC 3 has less detail and, therefore, typically provides less value to report users.

  • Purpose: Reports on the effectiveness of the controls of the service organization related to compliance or operations, based on the selected trust services principles (TSPs) and criteria
  • Scope: Governance, operational and information technology general controls that address one or more of the TSPs: security, confidentiality, availability, processing integrity and privacy
  • Audience: User organization's information technology executives, compliance officers, vendor management executives, regulators, other specified parties, and appropriate business partners

SOC 3 reports

  • Purpose: Same purpose as SOC 2 report
  • Information required: Same information as SOC 2 report, but with a less detailed description of the controls of the service organization
  • Audience: Unrestricted and can be viewed by anyone who would like confidence in the controls for the service organization

*Trust services principles and criteria is security, availability, processing integrity, confidentiality, and/or privacy. The security, availability, and processing integrity criteria are related to the controls system and the confidentiality and privacy criteria are related to the information processed by the system.

Type 1 vs. Type 2 Reports

Do not confuse SOC 1 and SOC 2 with Type 1 and Type 2. Both a SOC 1 and a SOC 2 can be either a Type 1 or Type 2. The key difference is:

  • Type 1 addresses the design of controls as of a point in time.
  • Type 2 addresses the operating effectiveness of controls over a period of time

Type 1 reports provide less comfort to the intended audience of the report and are uncommon. If the type of report is not explicitly stated, it is safe to assume it is most likely a Type 2.

Performing a SOC examination

If you’ve never had a SOC examination performed, you’re probably wondering what it entails. The first thing we need to do is determine which report is most applicable to your environment and the needs of your organization and your clients.

After we agree upon the type and scope of the examination, we typically perform a readiness assessment before your first SOC examination. The readiness assessment is a one-time review to identify your control activities satisfying each of the objectives or criteria. We will also determine potential test procedures and identify the types of evidence available to satisfy those test procedures. We are typically onsite for about two to three days. The deliverable from the readiness assessment will be draft report, similar to what the final SOC report will look like. This deliverable will include known or potential gaps in control activities and/or documentation. We tell our clients it’s like giving you the answers to the test.

After we provide the readiness draft, we allow you time to remediate control or documentation deficiencies before we begin our examination period.

About halfway through the examination period, and several weeks prior to the interim fieldwork, we will send out a document request list to assist you in gathering the necessary evidence prior to our visit. This will also help us select samples for testing.

When we arrive onsite we will conduct our walkthroughs, observational testing, and inspect the documentation you have provided for us. Interim fieldwork typically requires about one week onsite.

Towards the end of the examination period, we will perform final fieldwork where we will select additional samples and complete any remaining test procedures. After final fieldwork, we will subject the final report to our internal quality control procedures and we are able to issue the report approximately four to eight weeks after the completion of our test procedures.

SOC reporting: What service organizations need to know

Strong understanding of SOC 1, 2, and 3 reports is essential to clearly articulate services and internal control processes to user organizations. With a greater focus on internal control by regulators, boards of directors, and others charged with governance, there has been an increase in demand for attestation reports for both controls over financial reporting and other subject matters.

Read more >

Vendor management and the importance of SOC report reviews

The importance of vendor management continues to grow, especially given the rise in outsourcing tasks or entire functions of an organization to a service provider. As such, vendor management is becoming increasingly complex as more vendors are providing more services, often handling sensitive data with specific regulatory requirements. Service Organization Controls (SOC) reports are a key component in the process. However, many organizations simply file them away and fail to perform a critical review of each report.

Learn more >