Decoding SOC Reports

Demystifying SOC Reporting Blog Couple Climbing Mountain
October 18, 2019
 / 
Impact Makers
 / 

Part 2 of 3: Understanding SOC Reports to Build Trust and Reduce Risk

By Zachary Ugol, Risk Management Consultant

As noted in our earlier blog, System and Organization Controls (SOC) can be helpful tool in establishing and maintaining trust between service providers and their customers. Yet there are still a lot of questions around SOC reporting: Which SOC report is right for my organization?

Which KIND of SOC report is right for my organization – SOC 1, SOC 2, SOC 3, or SOC for Cybersecurity?

Did you know there are four (4) kinds of SOC reports that each serve a unique purpose?  Refer to the table below for a brief overview of the kinds of SOC reports available.

Comparing Different Kinds of SOC Reports

SOC 1 SOC 2 SOC 3 SOC for Cybersecurity
Use Used in Financial Statement Audits Used in Compliance and Operations Used in Marketing Used in Compliance and Operations
Contents Report on Internal Controls over Financial Reporting (ICFR) Report on Trust Service Criteria (Security, Confidentiality, Availability, Integrity, Privacy) Report on Trust Service Criteria (Security, Confidentiality, Availability, Integrity, Privacy) Report on Trust Service Criteria (Security, Confidentiality, Availability, Integrity, Privacy)
Guidelines Performed in accordance with AICPA – SSAE18 Performed in accordance with AICPA – AT101 Performed in accordance with AICPA – AT101 Performed in accordance with AICPA – AT101
Restrictions Restricted Use – limited to users of the service and their auditors Restricted Use – limited to users of the service and their auditors Unrestricted Use – can be distributed publicly General Use – can be provided to general users

Share this on LinkedIn, Facebook, or Twitter.

While some of the reports seem similar, there are important distinctions between the various reports that must be considered when determining which report is right for your organization. For instance, a SOC 2 and a SOC for Cybersecurity are very similar, but the differences are significant. To help, the AICPA has developed a useful guide for understanding the key differences between these reports.

It is important for organizations to communicate with their service providers and have transparency related to their compliance requirements in order to determine which kind of report is right for the organization.

Which TYPE of SOC report is right for my organization – SOC report Type 1 or 2?

In addition to the kinds of SOC reports, there are two different types of SOC reports available.  For example, there can be either a SOC 2 Type 1 or a SOC 2 Type 2.  Refer to the table below for the differences between the types of SOC reports.

Comparing SOC Report Types

Type 1 Type 2
Coverage Evaluates the design of controls Evaluates the design and operating effectiveness of controls
Duration Performed at a point in time Covers a period of time

Share this as an image, on LinkedIn, Facebook, or Twitter.

SOC Reports Build Trust and Reduce Risk

It is important for companies and service providers to understand and communicate all compliance requirements when determining which type of report is required. For instance, just because your organization provides or receives a SOC 2 Type 1, does not mean that you have the necessary information to meet compliance requirements. There are plenty of circumstances when a Type 2 report is required.

In order to ensure ongoing protection against potential security breaches, it is important for companies and service providers to ensure the appropriate framework and reporting is being utilized.

Don’t miss our SOC Reporting blog series!

Check out our first SOC reporting blog on responsibilities and benefits of SOC reports.

Stay tuned for our next blog post in which we will highlight some of the important information included within SOC report as well as key questions to ask when reviewing the report. Follow us on LinkedIn, Facebook, and Twitter for updates.  

Learn More: The Impact Makers Solution

Impact Makers’ Risk Management consultants have knowledge of SOC reports and insights to help both service providers and their customers.

For service providers, we help answer the following questions:

  • Do I need to provide a SOC report to my customers?
  • If so, what kind and type of SOC report?

For customers, we help answer:

  • Do I need to request a SOC report from my service provider?
  • If so, what kind and type of SOC report?
  • If I already receive a SOC report, does the existing SOC report meet my compliance requirements?

We work with our customers to deliver and enable strategic business advantage with Information Security & Risk Management services.

To learn more, contact us.



Visit Our Blog

Share This Post


Contact Us
  • This field is for validation purposes and should be left unchanged.