Service organization controls (SOC) reporting

Service organization controls (SOC) reports describe companies’ examinations of their internal controls over financial statements, security, availability, processing integrity, confidentiality, or privacy.

Each company’s needs will vary, and the type of SOC report your organization needs may be different from what you may think. There are three different reports:

  • SOC 1 (type 1 or type 2): Related to financial statements
  • SOC 2 (type 1 or type 2): A limited use report related to security, availability, processing integrity, confidentiality, or privacy
  • SOC 3: A general use report related to security, availability, processing integrity, confidentiality, or privacy

 Comparing SOC reports

 SOC Report 1SOC Report 2SOC Report 3
PurposeReports on the controls of the service organization that are relevant to the user organization’s financial reportingReports on the effectiveness of the controls of the service organization related to compliance or operations, including trust services principles and criteriaSame purpose as SOC 2
Information requiredDetails on the system, controls, and tests performed by the service auditor, and results of those testsDetails on the system, controls, and tests performed by the service auditor, and results of those testsSame information as SOC 2, but with a less detailed description of the controls of the service organization
AudienceUser organization’s controllers, compliance officers, CFO, CIO, and financial statement auditorsUser organization’s controllers, compliance officers, CFO, CIO, vendor management executives, regulators, other specified parties, and appropriate business partnersUnrestricted and can be viewed by anyone who would like confidence in the controls of the service organization

Our specialized professionals have the experience and knowledge to assist your organization in determining the correct SOC report for your organization’s needs and guide you through the reporting process with minimal staff interruption.