SOC Reports Information for Service Organizations
System and Organizational Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and services to other companies, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.
There are three types of reports to support service organizations:
SOC 1 Report
These reports are specifically intended to meet the needs of companies that use service providers and the customer’s financial auditors. Using this report it is possible to evaluate the effect of the controls at the service organization on the customers’ financial statements. User auditors use these reports to plan and perform audits of the customers’ financial statements. Use of these reports is restricted to the management of the service organization, user entities, and user auditors.
SOC 2 Report
These reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, processing integrity, confidentiality, or privacy of the data center’s system and information security, Examples of stakeholders who may need these reports are vendor management, security managers, privacy officers, regulators, and others who have an understanding of the service organization and its controls. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
SOC 3 Report
These reports are intended primarily as marketing tools. They are designed to meet the needs of users who need assurance about the controls at a service provider but who do not need the details of an SOC 1 or SOC 2 Report.
Unlike a SOC 1 and SOC 2 reports, which are considered restricted use reports, SOC 3 Reports will enable the service provider organization to share a general use report that would be relevant to current and prospective customers as a marketing tool to demonstrate that they have appropriate controls in place to mitigate risks related to security, privacy, etc.
| How to identify the SOC report that is right for you | ||
|---|---|---|
| Will the report be used by your customers to plan and perform an audit of your customer’s financial statements? | Yes | SOC 1 Report |
| Will the report be used by your customers as part of their compliance with the Sarbanes-Oxley? | Yes | SOC 1 Report |
| Will the report be used by your customers to gain confidence and place trust in a service organization’s systems? | Yes | SOC 1, SOC 2 and SOC 3 Report |
| Do you need to make the report generally available or seal? | Yes | SOC 3 Report |
| Do your customers have the need for and ability to understand the details of the processing and controls at a service organization, the tests performed by the service auditor and results of those tests? | Yes | SOC 2 Report |
| No | SOC 3 Report | |
SOC Expert
William Long, CISA, CISM, CGEIT, GSEC, GSNA, CSF, PCI QSA
Consultant
Specific Areas of Expertise
- Information Security Audits
- PCI DSS Audit
- Information Security Program Development
- Cloud Security
- GDPR, NIST 800-53, ISO 27001, and Hitrust
Lisa Katzen, CISA, PCI QSA
Consultant
Specific Areas of Expertise
- Information Security Audits
- PCI DSS Audit
- Financial Systems
- Hitrust