Blogpost

What Is A SOC Report?

What is a SOC Report? Understanding SOC 1, SOC 2, and SOC 3

System and Organization Controls reports, or SOC reports, are a framework to help companies gain trust in their vendors’ services or products through an examination of their delivery, business processes, and controls.

Organizations should seek SOC report assurance from vendors or service providers if they transact on your organization’s behalf, process or store your organization’s data, or process or store your client’s data.

SOC reports, developed by the American Institute of Certified Public Accountants (AICPA), deliver an understanding of a vendor’s entire system of information covering a variety of areas including security, availability, processing integrity, confidentiality, privacy, financial reporting and cybersecurity. These reports are a key component of service organization control, ensuring compliance with standards like the AICPA’s Trust Services Criteria and the COSO framework. There are three main types of SOC reports:

  • SOC 1: Focuses on financial reporting controls and IT controls related to accuracy.
  • SOC 2: Focuses on operational controls often used in Third-Party Risk Management (TPRM) and provides detailed insights into a service organization’s internal controls.
  • SOC 3: A public version of SOC 2 used for broader audiences.

SOC Reports are important for risk management because they help organizations identify and address potential risks, vulnerabilities, and flaws in their vendor’s processes and controls. Reviewing a vendor’s SOC report can help your organization identify risks and implement controls to mitigate risks.

Shared Assessments’ Products complement SOC reports by providing a strong vendor security assurance package when used together. Shared Assessments views SOC reports as pairing well with its Standardized Control Assessment (SCA) Procedure Tools, which provide risk professionals with a set of resources (solutions, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments

Types of SOC Reports

There are three prevailing types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is focused on financial reporting. SOC 2 is focused on security, availability, processing integrity, confidentiality, and privacy. SOC 3 is focused on similar reporting areas as the SOC 2 but is less comprehensive. SOC for Cybersecurity reports on an organizations’ enterprise-wide cybersecurity risk management program.

SOC 1 Report

A SOC 1 report is an audit that evaluates the design of controls at a service organization at a specific point in time. SOC 1 reports are used to assess the internal controls of service organizations that handle financial information for their clients, and how those controls may impact the clients’ financial reporting. SOC 1 reports help companies communicate their risk management and controls framework to stakeholders. These reports are crucial for both user entities and their auditors, as they provide insights into the impact of the service organization’s controls on the user entities’ financial statements.

SOC 2 Report

A SOC 2 report focuses assessing service organizations with the operational controls often used in TPRM. SOC 2 reports focus on the operational risks of outsourcing to third parties outside financial reporting. SOC 2 reports can help mitigate the risk of data breaches and financial losses by confirming adherence to best practices. (SOC 2 reports work well with Shared Assessments’ Standardized Control Assessment (SCA) Tools. The SCA can be used to provide clients with an independently assessed review of critical controls, often at a lower cost than a SOC 2 report. The SCA can be used as an addendum to or a replacement for a SOC 2 certification.)

SOC 3 Report

A SOC 3 report is essentially a public version of SOC 2, used for broader audiences. SOC 3 is a public document that assesses an organization’s internal controls for security, availability, processing integrity, and confidentiality. It’s based on the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria (TSC). SOC 3 reports can help a service organization demonstrate their commitment to security and availability standards.

Distinguishing Between Type I and Type II SOC Reports

SOC I and SOC II reports can be issued as a Type I or Type II report. A Type I report details an organization’s controls at a single-point in time, including a management description of a service organization’s system, and is considered to be a snapshot of the control environment. A Type II report examines how effectively implemented controls operate over a set period (typically 6 or 12 months) and is considered as the more comprehensive version of reporting. Most TPRM programs prefer a SOC II for TPR assessment purposes because the audit period indicates continuous evaluation of controls.

Benefits of SOC Reports in Risk Management

SOC reports benefit organizations in many ways, including building trust, improving efficiency, ensuring regulatory compliance, mitigating risk, and demonstrating commitment to security standards.

SOC reports verify an organization’s internal controls (a collection of safeguards and procedures) by evaluating the design of controls at a specific point in time and by testing the controls’ operating effectiveness over a period, often selecting samples and reviewing evidence over a period of six months to one year.

A SOC report lists the controls, the tests performed, and the results of the tests. If a control meets all the test requirements, the results will indicate no exceptions. If a control doesn’t meet all the requirements, the results will indicate an exception, along with a summary of what failed and why.

SOC reports often have findings and issues, including how risks were mitigated or remediated. The organization should review these to determine how they impact the organization.

As a service provider, SOC reports build trust and transparency with clients by demonstrating verified controls. As an outsourcer, SOC reports help with risk mitigation by helping your organization to identify and manage third-party risks effectively. SOC reports also help with vendor compliance as they ensure adherence to regulatory standards through verified assessments.

SOC Reports and Shared Assessments’ Tools

Shared Assessments’ Standardized Control Assessment (SCA) Procedure Tools can strengthen security assessments when SOC reports lack third-party risk modules by providing a way to verify the accuracy of a third-party risk assessment. Taking an integrated approach and combining SOC 2 Type II reports with SCA tools offers a robust security assurance package for vendor management.

Shared Assessments supports a “trust but verify” approach by providing standardized tools like the Standardized Information Gathering (SIG) Questionnaire, which acts as the “trust” component, allowing initial self-assessment by vendors, while the Standardized Control Assessment (SCA) acts as the “verify” component, enabling further due diligence through on-site or virtual assessments to validate the information provided in the SIG questionnaire. This combination of tools and sequence of steps allows organizations to initially trust vendor claims but then verify those claims through additional scrutiny.

Discover how Shared Assessments’ Standardized Control Assessment Procedure Tools work alongside SOC reports to provide comprehensive security assurance for your vendors. Connect with us for a consultation to help you improve your risk management strategy.

How to Choose the Right SOC Report

The type of SOC report that’s best for an organization depends on its specific control objectives and needs. It also depends on if you are a service provider or an outsourcer.

A SOC 1 Report is the simplest form of SOC report and delivers point-in-time testing to illustrate the design of controls as of a specific date. There is no further testing or proving outside of the initial test to confirm the description or design of the controls. A SOC 1 Report works best if a service organization or vendor needs to return a report to a prospect or client quickly to evidence controls being in place. Think of it as a schematic or general impression to use when in a pinch.

A SOC 2 Report looks at the same design of controls and tests the operating effectiveness of the controls over a period of six months as a rule of thumb. (Best practice is to have SOC 2 cover 12 months and then have an annual SOC 2 thereafter to report on continual coverage of controls.) A SOC 2 report is a better and more thorough practice than the SOC 1 as it offers more context on controls and how they are working – richer data gives a more accurate picture.

Finally, A SOC 3 report is essentially a public version of SOC 2, used for broader audiences in a marketing context. A SOC 3 is a badge of controls courage or a virtue signal for vendors. When you want to demonstrate that you meet regulatory and compliance requirements or simplify vendor management, wave the SOC 3 flag.

Frequently Asked Questions About Service Organization Controls (SOC) Reports

Is a SOC Report Mandatory?

SOC reports are not legally required for any organization. However, they can be important for building customer trust and confidence. Some customers may expect to see a SOC report before doing business with you, and you might expect to see one from your partners before doing business with them. It is not uncommon to have a SOC report required on an annual basis as a term or condition of doing business.

Who Should Get a SOC Report?

Organizations that provide services or software that may impact a client’s financial reporting or sensitive data may be required to have a System and Organization Controls (SOC) report. This includes financial service, healthcare, data centers, software as a service (SaaS), web hosting and cloud storage.

How Do I Know If I Need a SOC Report?

Your service organizations that process, store, or impact sensitive or financial data for your organization may need a SOC report. These organizations include:

  • Financial services: payroll, loan servicers, and investment advisors
  • Healthcare: electronic medical record (EMR) providers and healthcare data processors
  • Data centers: including cloud service providers and host data centers
  • Software-as-a-service (SaaS) providers
  • Other service providers: web hosting, accountants, money managers, marketing agencies, and staffing firms

Does Every Company Have a SOC Report?

Not every company has a SOC Report. No governing authority requires SOC audits. Industries with low regulation rarely require SOC reports, but companies in these industries still benefit from conducting SOC assessments as some clients require a SOC report as a condition of doing business.

Who Prepares SOC Reports?

SOC reports are typically created and validated by third-party auditors. A Certified Public Accountant (CPA) from an American Institute of Certified Public Accountants (AICPA) accredited auditing firm may be responsible for preparing a SOC report. The CPA must perform the audit as an independent third party outside of the organization being audited.

What is the Most Common SOC Report?

The most common System and Organization Controls (SOC) report is the SOC 2 report. It’s especially popular with software-as-a-service (SaaS) companies that provide third-party services to customers who trust them with sensitive data. SOC 2 is flexible in how it evaluates security controls, and helps organizations show that their internal controls protect customer data.

Is a SOC Report a Risk Assessment?

Yes, a SOC Report is a risk assessment that evaluates a company’s internal controls and risk management practices. A SOC 2 risk assessment can be a critical step in cybersecurity assessments. It helps organizations identify and manage risks to their systems, data, and vendors.

How Often Are SOC Reports Done?

The frequency of System and Organization Controls (SOC) reports depends on several factors, including client requirements, regulatory needs, and the type of SOC report. SOC 2 reports are typically conducted annually but can be done every six months depending on client preferences or concerns. SOC 2 audits should also be performed if there are major changes to information security.