System and Organization Controls (SOC) Reports are reports governed by standards issued by the AICPA and are relevant to service organizations who offer services such as software as a service, cloud computing, data hosting, etc.
System and Organization Controls (SOC) is a common phrase used by CPAs and service organizations to refer to system-level and entity-level controls at a service organization. A service organization provides services to other entities and they have system and organization controls in place which make up the organization’s internal control environment.
There are several SOC report options to choose from: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity. We are going to dive further into the most commonly used SOC reports (SOC 1, SOC 2 & SOC 3) and their differences below.
What is a SOC 1 vs a SOC 2 Report?
SOC 1reports are outlined in the Statement on Standards for Attestation Agreements (SSAE) 18, specifically section AT-C 320. A SOC 1 report is typically the right choice when the service organization can impact its customers’ internal control over financial reporting (ICFR). In other words, internal controls at the service organization can impact its customers’ financial statements.
For example, a service organization could need a SOC 1 if they perform payroll processing, claims processing, credit card payment processing, are a data center, etc.
The key difference to note in a SOC 1 vs a SOC 2 is that a SOC 1 focuses on a service organization’s internal controls that can impact a customer’s financial statements while a SOC 2 focuses on controls relevant to compliance and operations, outlined by the AICPA’s Trust Services Criteria (TSCs).
What is a SOC 2 Report?
As mentioned above, SOC 2 reports are typically used to meet the needs of a broad range of users that are concerned with a service organization’s controls relevant to the TSCs outlined by the AICPA. Similar to a SOC 1, SOC 2 reports are outlined in the SSAE 18 standard but are addressed in sections AT-C 105 and 205.
There are five TSCs which can be included in a SOC 2 report and the only TSC that is required in a SOC 2 report is the Security TSC. Service organizations can decide if it is relevant for them to include the other four TSCs based on the risks present with the services they provide: Availability, Processing Integrity, Confidentiality, and Privacy.
What is a SOC 3 Report?
A SOC 3 report, similar to a SOC 2 report, is also outlined in the SSAE 18 standard, specifically sections AT-C 105 and 205.
According to the AICPA, a SOC 3 report is, “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.”
Additionally, SOC 3 reports are general use reports so they can be used by the service organization as a marketing tool to provide to prospective customers.
What is a SOC 2 Report vs a SOC 3 Report?
Since SOC 2 and SOC 3 reports are governed by the same AICPA standards, the work performed by the service auditor for these two reports is very similar. Both reports are designed to address the AICPA TSCs so the controls identified and tested by the service auditor are typically the same for both reports. The key difference in these reports is in the reporting.
SOC 2 reports can be either a Type I or a Type II report, while a SOC 3 report is always a Type II and does not have the option for a Type I. Additionally, SOC 2 reports are restricted use reports, intended for the use of the service organization’s management, customers, and their customers’ auditors.
SOC 3 reports, on the other hand, are general use reports that can be distributed freely by the service organization. This is because SOC 3 reports contain significantly less detail in the report itself.
Often times, service organizations will make their SOC 3 available on their website whereas customers must request a copy of the SOC 2 from the service organization.
Unlike SOC 2 reports, SOC 3 reports do not have a detailed description of the controls tested by the service auditor, the test procedures and the results of the test procedures. A SOC 3 report typically contains a short auditor’s opinion, management assertion and system description.
As the report does not go into much detail on the system and how it operates, controls tested and the results of those tests, a SOC 3 is a great tool for marketing prospective customers but a SOC 3 alone would typically not satisfy the needs of current customers and their auditors.
In many situations, we see clients obtaining either a SOC 2 or both a SOC 2 and SOC 3. As the cost for performing these reports is similar due to the criteria that must be met, it often makes more sense for customers to obtain a SOC 2 and add on a SOC 3 for an incremental fee.