Which SOC Report Is Right for You?

IT Risk Advisory, SOC, SOC 2
by Holly Russo
share with a colleague Download PDF

Selecting the appropriate System and Organization Controls (SOC) report requires knowledge of the types of reports available. The American Institute of Certified Public Accountants created three primary kinds of SOC reports, as well as some additional reporting options. 

SOC for Service Organizations

SOC Readiness Assessment – Designed to assess preparedness for a SOC examination. Relevant for non-attest consulting engagements to identify gaps in controls and advise the service organization of necessary corrective actions in preparation for the SOC examination.


SOC 1 – SOC for Service Organizations: Internal Controls over Financial Reporting – Report on the controls at the service organization that impact user entities’ financial statements. Use restricted to organizations and their customers.
 

SOC 2 – SOC for Service Organizations: Trust Services Criteria – Report on the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Use restricted to organizations, their customers, and other specified parties.
 

SOC 2+ – SOC 2 report with additional subject matter or criteria included within the scope of the examination (e.g., PCI, HIPAA, HITRUST, ISO 27001). Use restricted to organizations, their customers, and other specified parties.
 

SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report – Scope is the same as for SOC 2, but the report does not contain a description of the auditor’s tests or results. General use report.

Specialized SOC reports also exist:

SOC for Service Organizations: SOC 2® HITRUST

SOC for Service Organizations: SOC 2® CSA STAR Attestation

SOC for Cybersecurity – General use report on the effectiveness of cybersecurity risk management programs. 

SOC for Supply Chain – Report on an entity’s system and controls to enable users to better understand and manage the risks arising from business relationships with their supplier and distribution networks.

The following scenarios can help determine which report is appropriate for your organization.

Scenario: The report will be used by customers and their auditors to plan and perform an audit or integrated audit of the customers’ financial statements.

Relevant report: SOC 1 Report

Scenario: Customers will use the report as part of their compliance with the Sarbanes–Oxley Act, HIPAA, PCI, HITRUST, or similar law, regulation, or framework.

Relevant report: SOC 1 or 2 Report

Scenario: Customers or stakeholders will use the report to gain confidence and trust in a service organization or other organization systems.

Relevant report: SOC 2 or 3 Report, SOC for Cybersecurity, SOC for Supply Chain

Scenario: The report needs to be generally available.

Relevant report: SOC 3 Report, SOC for Cybersecurity, SOC for Supply Chain

Scenario: Customers need to understand the details of the processing and controls at the service organization and/or other organization, tests performed by the service auditor, and results of those tests.

Relevant report: SOC 1 and  2 Reports

Scenario: Customers do NOT need to understand the details of the processing and controls at the service organization and/or other organization, tests performed by the service auditor, or results of those tests.

Relevant report: SOC 3 Report, SOC for Cybersecurity, SOC for Supply Chain

SOC 1 and SOC 2 can either be Type 1 or Type 2 reports.

  • Type 1 – Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives (SOC 1) or applicable trust services criteria (SOC 2) included in the description as of a specified date. 
  • Type 2 – Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives (SOC 1) or applicable trust services criteria (SOC 2) included in the description throughout the specified period.

In simple terms, a Type 1 report focuses on the existence of internal controls; Type 2 covers their performance over time.  

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit, and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
IT Risk Advisory, Risk Advisory/Internal Audit BY Michael Sinkevich
Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC BY Anna Young
Subservice Organizations: Their Role and Impact on Your SOC Report
read more >
Cybersecurity, IT Risk Advisory BY Madeline Adamczyk
Allegheny County Marriage License Data Leak May Affect Recent Newlyweds
read more >
IT Risk Advisory BY Sean Thomas
PCI DSS v4.0 is Here…Are You Ready?
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept