Article

Service organization controls (SOC) reporting

Service organization controls (SOC) reports describe companies’ examinations of their internal controls over financial statements, security, availability, processing integrity, confidentiality, or privacy.

Each company’s needs will vary, and the type of SOC report your organization needs may be different from what you may think. There are three different reports:

  • SOC 1 (type 1 or type 2): Related to financial statements
  • SOC 2 (type 1 or type 2): A limited use report related to security, availability, processing integrity, confidentiality, or privacy
  • SOC 3: A general use report related to security, availability, processing integrity, confidentiality, or privacy

 Comparing SOC reports

 

SOC Report 1

SOC Report 2

SOC Report 3

Purpose

Reports on the controls of the service organization that are relevant to the user organization’s financial reporting

Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria

Same purpose as SOC 2

Information required

Details on the system, controls, and tests performed by the service auditor, and results of those tests

Details on the system, controls, and tests performed by the service auditor, and results of those tests

Same information as SOC 2, but with a less detailed description of the controls of the service organization

Audience

User organization’s controllers, compliance officers, CFO, CIO, and financial statement auditors

User organization’s controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners

Unrestricted and can be viewed by anyone who would like confidence in the controls of the service organization

Our specialized professionals have the experience and knowledge to assist your organization in determining the correct SOC report for your organization’s needs and guide you through the reporting process with minimal staff interruption.

Professionals walk and talk in transit to the next business meeting
Next up

SOC reporting: what service organizations need to know