Recently, we have noticed that clients of service organizations are asking for a “SOC” report in general, and not necessarily specifying which type of report they are looking for [i.e., SOC 1 (f. SSAE 16), SOC 2, or SOC 3]. We have had clients and prospects asking us about how to determine what type of report they need. The first answer to that question is always whatever report the service organizations’ clients are asking for. If they are not asking specifically, or if a service organization is being asked for both, the following chart (provided by the AICPA) can help determine which report may be needed by a service organization. A number of our clients need more than one report (i.e., a SOC 1 and a SOC 2 report), which is sometimes the best answer.
SOC 1 (f. SSAE 16)
SOC 1 reports are specifically intended to meet the needs of the clients (more specifically the auditor/CPA of the client) of a service organization. The report is used by the client to evaluate the effect of the controls at the service organization on their (the service organization’s client) financial statements. The auditor/CPA of the client of the service organization will use the report to plan and perform their audit of the financial statements. These reports can be thought of as an auditor-to-auditor report.
SOC 2 reports can be used to meet the needs of clients of service organizations that need information and assurance about the controls at a service organization that impact the security, availability, and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. These reports can include from one to all five of the Trust Services Principles (TSPs), which are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each report is required to include at least Security.
SOC 3 reports also use Trust Services Principles, though these reports are used by clients of service organizations that do not need the details of what was tested and how the testing was performed. SOC 3 reports are general user reports and can, therefore, be freely distributed.