Resources

Choosing the Right SOC Report for Your Organization

Written by: Jason Clinton, Katherine Choi, Daniel Lang

As the risks posed by bad actors continue to evolve, many organizations are expanding their risk management programs to consider those posed by their third-party relationships. To understand these risks and how they are being handled, organizations are asking their third-party relationships to provide assurance reports upon engaging in a relationship, and periodically thereafter.

System and Organization Controls (SOC) reports continue to be the most popular assurance reports requested to satisfy due diligence and monitoring requirements. SOC reports are issued by independent audit firms that provide an opinion on the state of internal controls related to a defined system (e.g., the product/service being provided).

When an organization contacts an independent audit firm to pursue a SOC report, some common questions will come up during the discussion:

  • What are the different types of SOC reports that are available?
  • What type of report is best for my organization to satisfy the needs of my customers?

To answer the first question, the American Institute of Certified Public Accountants (AICPA) offers a variety of different SOC reports designed to help organizations meet the differing needs of their customers. Today, we will highlight the three most common types of SOC reports and who is the best audience for each report.

SOC 1

A SOC 1 report is an internal controls report related to financial reporting. These reports are issued by organizations whose product/service can directly impact the financial information and financial reporting of their customers.

Core banking providers, investment advisors, trust companies, payroll providers, and other companies whose services are relied upon by their customers to make financial decisions commonly issue SOC 1 reports. The SOC 1 report will typically include the opinion of the audit firm, an assertion by the management of the organization, a description of the system and the controls, and the detailed testing procedures and test results performed by the audit firm. A SOC 1 report is a restricted-use report meaning it can only be shared with customers and their auditors, auditors of your organization, and potential customers.

SOC 2

A SOC 2 report covers an information system and evaluates the controls against selected trust services categories. The trust services categories include:

  • Security. This category evaluates information and systems controls that protect against unauthorized access, disclosure, or damage.
  • Availability. This category evaluates information and systems controls governing availability for operations and usage to meet the needs of customers.
  • Confidentiality. This category evaluates controls governing how an organization protects information designated as confidential from creation to destruction based on contractual obligations to customers.
  • Processing Integrity. This category evaluates controls to ensure information used in processing is complete, valid, accurate, timely, and authorized.
  • Privacy. This category evaluates controls governing how organizations collect, use, retain, disclose, and dispose of personal information based on their obligations to customers.

A SOC 2 report can include either a single trust services category or any combination of categories. The selected categories are based on the needs of the broad customer base. Software-as-a-Service (SaaS) providers, data centers, consulting companies, and other organizations who provide an information system commonly issue SOC 2 reports.

The SOC 2 report will commonly include the opinion of the audit firm, an assertion by management of the organization, a description of the system and the controls, and the detailed testing procedures and test results performed by the audit firm. A SOC 2 report is a restricted use report that can only be shared with your organization’s auditors, customers and their auditors, potential customers, business partners, and regulators who have sufficient knowledge to understand the report and defined scope of the system.

SOC 3

A SOC 3 report is like a SOC 2 report in that it covers an information system and evaluates the controls against selected trust services categories. However, a SOC 3 report is intended for public distribution and does not have any restrictions on the audience.

Due to these reports being for public use, the reports will not include detailed descriptions of the system or the internal controls. The reports themselves will only include the audit firm’s opinion, management’s assertion, and attachments that highlight commitments to customers and overviews of control areas. A SOC 3 report can be a useful tool to provide prospective customers with information to learn more about a product or service. However, a serious prospect or existing customer rarely accepts these reports to meet due diligence and monitoring requirements.

In summary, the AICPA designed the different types of SOC reports to provide your organization flexibility in meeting reporting obligations to your customers. The type of report that you select will be based on the services you provide and the requests of your customers. If you have any questions on the best report to pursue or if the requests of your customers are valid, we are here to help!