WHICH SOC REPORT DO WE NEED?

We have put together all the information you need to answer your questions about SOC Reporting, including what they are, what they do, and what it takes to get them done. We also help you figure out where to start when choosing a partner to help issue your report.

Determining Which SOC Report is Right For You


If you choose not to provide a SOC Report when one is requested, you risk losing this customer or prospect to another vendor.

Why do clients ask for SOC reports? Even though your clients may have outsourced some part of their work to you, they still have to answer to their customers about the financial accuracy of your work and the security of the sensitive information they’ve shared with you. When a client or prospect requests a SOC Report from your organization, they are indicating their desire to receive a high level of assurance regarding your own organization's practices, policies and procedures that can protect them should they be challenged when it comes to their own ethics, accuracy or compliance within established industry processes. You are not required by law to provide a SOC report, and the investment for everything that goes into preparing the report falls totally upon your company. However, if you choose not to provide a SOC Report when one is requested, you risk losing this customer or prospect to another vendor that won’t hesitate to supply the assurances provided by a SOC report.

When you’ve been asked by a customer or stakeholder for a SOC report, figuring out which type of SOC report you need can seem like a very daunting question to answer. But it once you understand what and who each report is designed for, it will not be so confusing, so here's a quick summary.

There are currently four different categories of SOC reports plus a HITRUST report, and each one of them has a different purpose or is designed for a unique audience.

SOC 1 Report: The main purpose of this report is to reassure your customers that the financial information you are providing to them is accurate and does not affect their bottom line in unexpected ways.

SOC 2 Report: These reports are the most recognized form of assurance that service providers are protecting sensitive data and minimizing risk for their customers.

SOC 3 Report: This is a streamlined version of a SOC 1 or SOC 2 report and is generated by an independent auditor for public distribution, usually for marketing purposes while SOC 1 and SOC 2 reports are NOT usually for public distribution.

SOC for Cyber Security: The SOC Report for Cybersecurity is a fairly new entry to the field of SOC reporting, but one that seems to be rising in popularity. This report is heavily based upon the framework used in a SOC 2 report but designed especially for enterprise-level, publicly traded corporations and non-profit entities, mostly to provide information to board members and/or upper level managers of these organizations.

HITRUST Report - HITRUST Reports benefit service providers. Organizations and third-party administrators that work with, consume and store information that is protected under the HIPAA Act may be asked to provide a HITRUST Report for their customers.

As specialists in preparing SOC reports nationally for clients across various industries, Maloney + Novotny can help you figure out which report will best provide the assurances your customers are seeking, without having to invest more time or resources than you need to.

With 30+ years of experience in preparing and issuing SOC reports, Maloney + Novotny can help you determine what your customers are asking for, and help you provide those answers, without breaking the bank, ultimately satisfying your customers without putting too much of a burden upon your organization.

Click to see the differences between each SOC Report and who might use them