More service providers recognize the importance of obtaining a System and Organization Controls (SOC) Report. SOC reports provide independent assurance that your service organization has the right controls in place to address the risks related to security and business. Created by the American Institute of Certified Public Accountants (AICPA), a SOC report is a thorough audit of a service organization’s (SO) controls (systems, processes and policies). Service providers recognize a SOC report can be the difference between winning and losing a client. Think about it: If a prospect is considering two equal vendors, but only one has obtained independent testing of its controls, which do you think the client will choose?

However, embarking on the SOC audit is not for the faint of heart. It shouldn’t be approached lightly, as it requires attention to detail, good resources and time. Depending on your level of readiness and the report type, the process can take anywhere from a few months to a year or longer from start to finish for organizations new to the process. Mature organizations can expect a shorter timeline – assuming they already have the necessary controls, processes and technologies in place.

Which SOC Report is Right for You?

The first step to SOC completion is selecting the right report. Depending on your circumstances, one may be required over another. This chart below can help you select the right one:


Will the report be used by your customers and their auditors to plan and perform an audit or integrated audit of your customer’s financial statements?


SOC 1 Report

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems?


SOC 2 or 3 Report

Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests?


SOC 2 Report


What is a SOC 1® Report?

A SOC 1 is a report on controls at your SO that are relevant to user entities’ internal control over financial reporting. This report is specifically intended to meet the needs of two parties:

  1. The entities that use service organizations (user entities)
  2. The CPAs that audit the user entities’ financial statements (user auditors)

SOC 1 helps the reader evaluate the effect of your service organization’s controls on a user entity’s financial statements.

Below are a few examples of companies that need a SOC 1 Report.

  • A health insurance company that outsources the medical claims processing function
  • An employee benefit plan that outsources functions to a bank to serve as custodian of assets, maintain records of account, allocate investment income and/or make payments
  • Any company that utilizes packaged software applications that enables customers to process financial and operational transactions (Application service provider or “ASP”)

There are two options when it comes to the SOC 1 report – type 1 and type 2.

A Type 1 report is a point-in-time assessment that evaluates:

  • The fairness of the presentation of management’s description of the service organization’s system (i.e., the accuracy of the system description)
  • The suitability of the design of the controls to achieve the control objectives included in the description (as of a specified date)

A Type 2 report covers a period of time, typically 6 to 12 months, and evaluates:

  • The fairness of the presentation of management’s description of the service organization’s system
  • The suitability of the design of the controls to achieve the control objectives included in the description (throughout the specified period)
  • The operating effectiveness of the controls to achieve the control objectives included in the description (throughout the specified period)

The service auditor issues its opinion with the SOC 1 report, which is distributed for restricted use to the management of the SO, user entities, and user auditors.

What is a SOC 2® Report?

A SOC 2 is a report on controls at a SO relevant to security, availability, processing integrity, confidentiality, and privacy in alignment with the AICPA Trust Services Criteria (TSC). While a SOC 1 report addresses a service organization’s impact on financial transactions, a SOC 2 report addresses the risks arising from interactions with service organizations and their systems.

The report is intended to meet the needs of a broad range of users that require information and assurance about the SO’s controls as they relate to:

  • The security, availability, and processing integrity of the systems used by the SO to process users’ data,
  • The confidentiality and privacy of the information processed by these systems.

Below are a few examples of companies that may need a SOC 2 Report:

  • Providing medical providers, employers, and third-party administrators and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentially
  • Managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, and environmental control activities
  • Managing access to networks and computing systems for user entities (for example, granting access to a system and preventing, detecting, and mitigating, system intrusion)

As with the SOC 1 report, there are two report types for this engagement – type 1 and type 2.

Use of SOC 2 reports is generally restricted to those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services. To read more about how LBMC can help you succeed with SOC Reporting, click here.

What is a SOC 3® Report

Similar to the SOC 2, the SOC 3 report is a report on the controls at a SO which are relevant to the SO’s ability to maintain the security, availability, processing, integrity, confidentiality, and privacy of a user entity’s data for which it is responsible. The assessment entails the same Trust Services Criteria, controls, and evaluation of controls addressed in a SOC 2 report.

The key distinction is that the SOC 3 is intended for general use as opposed to restricted use. This means that the SOC 3 report is a public-facing document that gives a high-level overview of information that would be contained in a SOC 2 report. While a SOC 2 report contains sensitive information about business systems and controls at a level that would not be appropriate for public distribution, a SOC 3 report does not and is used as a front-facing report, often for the purposes of sales and marketing.

Examples include:

  • A SO may choose to display a SOC 3 seal on its website if it meets the criteria, and link to the SOC 3 report.
  • Sales team may use the report to provide prospects and clients to assure them that SO is protecting their data and private information. Clients can easily verify best practices are being followed to guard against security breaches and corrupted data.

Another benefit of a SOC 3 report is there are no additional audit procedures necessary if you’ve already been issued a SOC 2 report.

What’s your SOC Scope?

Understand your business scope before selecting your SOC report and criteria. With careful consideration of each step, you’ll be better positioned to attain attestation faster and more efficiently. Best of all, your customers will have greater confidence in you as a service provider.

Learn more about our team at LBMC Information Security and our SOC Reporting services. Unsure if you can still achieve a SOC report in a COVID-19 environment? Read our recent article, COVID-19 Impact on SOC Reports to learn more.

Read related articles here:

Key Differences Between SOC 2 and SOC for Cybersecurity

SOC 2 and HITRUST: The Best of Both Worlds