
Accounting and Assurance International Investment Advisors Management Consulting Business Technology CFO Advisory Services Financial Advisory Growth Human Capital Operations Risk Services Mergers & Acquisitions Private Equity Search & Staffing Tax

Additional Information Forensic, Valuation, and Litigation Support Internal Audit Sarbanes-Oxley SOC reporting SSAE 16 (SAS 70 / SOC 1) services Technology Risk Consulting

Service organization controls (SOC) reporting services

Service organization controls (SOC) reports describe companies’ examinations of their internal controls over financial statements, security, availability, processing integrity, confidentiality, or privacy.

Each company’s needs will vary, and the type of SOC report your organization needs may be different from what you may think. There are three different reports:

SOC 1 (type 1 or type 2): Related to financial statements
SOC 2 (type 1 or type 2): A limited use report related to security, availability, processing integrity, confidentiality, or privacy
SOC 3: A general use report related to security, availability, processing integrity, confidentiality, or privacy

Comparing SOC reports
	SOC 1 report	SOC 2 report	SOC 3 report
Purpose	Reports on the controls of the service organization that are relevant to the user organization’s financial reporting	Reports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteria	Same purpose as SOC 2
Information required	Details on the system, controls, and tests performed by the service auditor, and results of those tests	Details on the system, controls, and tests performed by the service auditor, and results of those tests	Same information as SOC 2, but with a less detailed description of the controls of the service organization
Audience	User organization’s controllers, compliance officers, CFO, CIO, and financial statement auditors	User organization’s controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partners	Unrestricted and can be viewed by anyone who would like confidence in the controls of the service organization

Our specialized professionals have the experience and knowledge to assist your organization in determining the correct SOC report for your organization’s needs and guide you through the reporting process with minimal staff interruption.

Contact our risk services team >