Skip to content

Different SOC Reports and Their Types

Contact Us   844-386-3829

Different SOC Reports and Their Types

What type of companies need SOC reports?

Service organizations provide services to “user entities”, for which these services are likely to be relevant to these user entities’ internal control for financial reporting. Generally, service organizations are required to conduct a SOC examination to obtain a recognized level of assurance on their internal controls. They could be:

  • Software as a Service
  • Outsourced Transaction Processors (e.g., Payroll Processors, TPA’s)
  • Professional Services with Access to Sensitive Client Data (e.g, Accounting Firms, Law Firms, Comp & Benefit Consultants, etc.)
  • Outsourced Data Centers/Co-Location Facilities
  • Resellers of Credit Reporting Agencies (Equifax, TranUnion, Experian, etc.)
  • Outsourced Security Operations Centers
  • Business Associates of Covered Entities (Healthcare)

What are SOC Reports?

SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.

What is a SOC 1 Report?

SOC 1 reports address a company’s internal control over financial reporting, and it may help demonstrate compliance with various regulations, such as Sarbanes-Oxley Act.

What is a SOC 2 Report?

SOC 2 reports will help your customers satisfy their vendor management, business continuity, and regulatory requirements. SOC 2 reports are built around the definition of a consistent set of parameters around the IT services which a third party provides to you. If you’re required to have a metric of a vendor’s providence of private, confidential, available and secure IT services – then, you need to ask for an independently audited and assessed SOC 2 report.

What is a SOC 3 Report?

SOC 3 reports are designed to be a less technical and detailed audit report with a seal of approval which could be put up on the website of the vendor. It is a short-form report that does not contain all of the sections that are included in SOC 1 and SOC 2 reports.

What are the attestation standards related to SOC reports?

Statement on Standards for Attestation Engagements No. 16 (SSAE 16) guidance. – SOC 1

AICPA - Canadian Institute of Chartered Accountants (CICA) Trust Services Principles and Criteria: security, availability, processing integrity, confidentiality, and privacy. – SOC 2 & SOC 3

What is the difference between Type 1 and Type 2 reports?

The short answer is that a Type 1 report just provides a report of procedures/controls an organization has put in place as of a point in time. A Type 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time. SOC 1 and SOC 2 reports can be either a Type I or a Type II report. A SOC 3 report is neither a Type 1 nor a Type II report.

What kind of SOC report do I need?

Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements? SOC 1

Does your company rely on vendors to process and safeguard your sensitive data – or are you a vendor entrusted with sensitive data? SOC 2

Do you need a simpler report to support your marketing purposes and to share with anyone? SOC 3

Contact Us Today

If you are an investment manager who has been entrusted with custody of your client’s financial assets, your fund is subject to an annual surprise examination (audit) by an independent public accounting firm. If you are looking for a public accounting firm who can be trusted to conduct a fair and thorough examination to provide the most confidence to you and your investors, then please reach out to us at 844-386-3829 to learn more about the services we offer.

Contact Us

Subscribe to Our Newsletter