SOC REPORTS OVERVIEW

We have put together all the information you need to answer your questions about SOC Reporting, including what they are, what they do, and what it takes to get them done. We also help you figure out where to start when choosing a partner to help issue your report.

A Primer on SOC Reports


A quick look at the differences between the major categories of SOC Reports and the industries or organization types that can reduce their risk by having them.


SOC 1


What It Is

An audit process and restricted-use, time-dependent report providing assurance to you and your customers that the financial information you’re preparing for them and which affects their profitability is accurate and can be trusted. This report provides an unbiased professional opinion stating whether or not, or the degree to which, your client(s) can trust that the numbers you provide them with are correct.

Who Might Need One

  • Loan Servicing Organizations
  • Medical Billers
  • Third-party Administrators
  • Property Managers
  • Payroll Processors

SOC 2


What It Is

An audit and restricted-use report covering service providers and giving assurance that any data the organization is consuming for the purpose of rendering services is being protected to the fullest extent possible. That the service provider is doing everything they can to protect that data as it’s being used, stored and removed. The report provides an unbiased professional opinion stating whether or not, or the degree to which the customer’s data is being safeguarded.

Who Might Need One

  • Software-as-a-Service Companies
  • Insurance Companies
  • Data Centers
  • Health Care Program Administrators
  • Financial Service Providers

SOC 3


What It Is

A streamlined version of a SOC 1 or SOC 2 Report generated by an independent auditor for public distribution, usually for marketing purposes. SOC 3 reports describe the overall controls in place at service organizations as a way to demonstrate accuracy and protection of financial and sensitive data. However the information is limited to describing the overall controls in place and does not include audit findings or an unbiased opinion from a third-party auditor. Usually considered unnecessary, some organizations may opt for a SOC 3 report or SOC 3 “seal of approval” that can be used for marketing purposes to demonstrate their commitment to ethical standards and practices.

Who Might Need One

  • Enterprise-level service providers such as Google, Amazon and YouTube

SOC for Cyber Security


What It Is

A newer entry to the arena of SOC reporting, the SOC for Cyber security is a report generated by an independent auditor for enterprise-level organizations to inform boards of directors, upper management and investors how the organization is managing risk related to cyber security. This report may or may not include an audit.

Who Might Need One

  • Enterprise-level publicly traded corporations
  • Large non-profit organizations
  • Cloud Providers

Click here to learn about HITRUST Reports and who might need them