What are SOC Reports for, and which kind do I need?

Co-authored by Melissa Avila

Navigating the risk and compliance world can feel overwhelming, and it can be difficult just keeping straight all the rapidly evolving ways in which companies risk, regulations, guidance, and new technologies are changing. After all, concerns about protecting sensitive information are at an all-time high and are likely to become even more important in the future. 

Two initial challenges with compliance are understanding what the various System and Organization Controls (SOC) reports are meant to accomplish, and recognizing why a company concerned about documenting its risk and compliance processes should choose one kind over another. 

To start with the basics, a SOC report is an audit report that covers the internal controls pertaining to a company’s information technology (IT) and business processes. Once called Service Organization Control reports, they are a group of offerings whose evolving requirements are overseen by the American Institute of CPAs (AICPA). 

The organizations that most often need to have SOC reports created are those that provide services or software to public companies or to regulated industries, such as banking or healthcare. In the SOC world, these organizations are called “service organizations.” Because service organizations handle a great deal of confidential, proprietary, and personal data, it’s natural that their clients would need to gauge how well that data is protected. In some cases, clients ask a company for a SOC report as a condition of engaging its services. In other cases, a company may wish to obtain a SOC report as a proactive demonstration of its sound security position. Lastly, some companies have grown weary of filling out endless security questionnaires from current and prospective customers and want a way to streamline this tedious, resource-consuming task.

SOC reports come in four “flavors,” with the first two divided further into two variants, Type I and II. Read on for a breakdown explaining which kinds of companies need each one, as well as what each report covers. 

SOC 1

Who needs one: Companies that perform outsourced services impacting the financial statements of their customers, such as payroll providers, benefit and claims processors, and loan servicers.

What it covers: The internal controls performed by the service organization that may affect their customers’ financial reporting. These include controls related to IT systems used to deliver the outsourced service.

One note: Given the confidential information that’s included, a SOC 1 report is typically only shared with those who have signed an NDA. 

SOC 2

Who needs one: Service organizations that store, process, or transfer data, such as cloud providers or those who sell SaaS (software as a service). 

What it covers: This report concerns security first and foremost, and that’s why security is called the report’s “common criteria.” Covering security issues is mandatory, but the client decides which of the other four Trust Service Criteria should be documented. For each criterion, the report answers questions like these: 

  • Security: What protects the system against unauthorized access, use, or modification?
  • Availability: How do you ensure that systems are available for operation and use as committed or agreed?
  • Processing integrity: What methods are in place to ensure system processing is complete, valid, accurate, timely, and authorized?
  • Confidentiality: What methods ensure that any confidential information is protected as committed or agreed upon?
  • Privacy: Personal information must be collected, used, retained, disclosed, and destroyed in conformity with the commitments in a company’s privacy notice and with the criteria set forth in the generally accepted privacy principles (GAPP) issued by the AICPA. What procedures are in place to make sure this occurs?

One note: Like a SOC 1 report, a SOC 2 report is typically only shared with those who have signed an NDA. 

Types I and II

SOC 1 and SOC 2 reports each come in two different types, depending on whether or not the auditors weigh in on the effectiveness of internal controls over time. Type I reports include an opinion on the Service Organization’s design and implementation of its internal controls as of a specific date. In Type II reports, that opinion also comprises information on the effectiveness of those controls over a period of time, usually from 6 to 12 months. 

A Type II report provides service organizations users with a greater level of assurance than a Type I. However, we often recommend that service organizations start with a Type I and then move to a Type II. This allows a service organization to ensure that it has designed and implemented the correct controls before subjecting the controls to the higher level of scrutiny required by a Type II examination.

SOC 3

Who needs one: Service organizations that store, process, or transfer data, such as cloud providers or those who sell SaaS (software as a service). 

What it covers: Audits for SOC 3 cover the same areas as SOC 2, but the report itself is shorter and less specific: it’s meant to be shared with the public, including potential customers, usually for marketing purposes. Such reports typically only include the auditor’s opinion, the service organization’s assertion, and a brief system description.

SOC for Cybersecurity

Who needs one: Organizations interested in assessing how much they are at risk for a cyberattack. 

What it covers: An organization’s cybersecurity risk management program and related controls. Its main audiences are senior management, boards of directors, analysts, investors and business partners, and anyone else who needs to know about a company’s risk of a cyberattack and how it’s been managed.

How it’s created: The same Trust Services Criteria used for SOC 2 and 3 are used here. 

Let Holtzman help you with your compliance needs

Holtzman can help you navigate today’s ever-changing regulatory climate, at a time when the right guidance is more important than ever. With clients ranging from startups and middle-market leaders to large multinational conglomerates, we dedicate ourselves to delivering stellar results for our clients. Learn more about our suite of SOC Reports (SSAE18) services and get in touch.

Related insights:

Was this helpful? Share to your network.

Article Category: