There is a variety of SOC reports the AICPA created, and each serves its own purposes. In this article, we will show you the differences between the three main SOC reports: SOC 1, SOC 2, and SOC 3.
What This Means For You
When you think of SOC 1, you should be thinking about financial statements. SOC 1 reports discuss the internal controls for financial reporting (ICFR). Think about it this way, if your service has an impact on the financial statements of your customers, then you should be considering a SOC 1 report. But those financial-related controls are not the only items covered in the report. You may find that you also need to report on some of the categories of information you would find in a SOC 2 report, like security, confidentiality, etc. Those can be incorporated easily because, in SOC 1, you define the Control Objectives.
Let’s use an example. Let’s say you are a payroll processor service organization. You take your customer’s raw data for payroll, run it through your systems, and produce payroll reports, tax filings, and employee pay stubs for those customers. Payroll is a significant part of your customer’s income statement in their financial statements. So, you may have objectives about the accuracy of calculating those payroll items and how you file taxes with government entities. You also may have objectives related to protecting your customer’s data, which, for example, could be similar to the logical access requirements from CC6 in SOC 2. Because there are no prescribed objectives in SOC 1, you would have to determine what all of your objectives for customers are related to your service and include them in the report.
Finally, while SOC 1 reports require a system description, the criteria are less than what is required under SOC 2.
We go into much more detail about SOC 2 reports on our pillar page. For our purposes here, the primary difference between SOC 1 and SOC 2 reports is that SOC 2 reports do not cover financial objectives because SOC 2 is focused on the Trust Services Categories associated with the service commitments you make to your customers. Let’s go back to our example payroll processor again. They might also need a SOC 2 in addition to their SOC 1. In their agreements, they are making commitments to customers around the security and confidentiality of customer data, as well as being available 99.99% of every month. In this case, the security, availability, and confidentiality categories would all be applicable (or 'in scope') for their SOC 2 and could be tested in conjunction with the SOC 1 testing, since both reports would share some similar objectives.
So what is SOC 3 then? A SOC 3 report is simply a redacted version of a SOC 2 report. It is still based on the same trust services categories and criteria, but it is limited to a redacted version of the system description. It does not include Section 4 in the report, which would show details of the controls, the auditor’s testing of those controls, and the results of testing. SOC 3 reports are meant for public use, and many times companies will provide them via their website with no NDA required. We discuss SOC 3 reports a bit more in this video.
What is common amongst all three of these SOC reports is an assertion from company management and an auditor’s opinion. The language in those may be different between each of these reports, but the purpose of these sections remains the same.
So which SOC report is right for you?
SOC 1 – does your service have an impact on the financial statements of your customers?
SOC 2 – are you committing to anything related to the trust services categories (security, availability, confidentiality, processing integrity, privacy)?
SOC 3 – do you need a public version of your SOC 2 to display to customers, potential customers, investors, or other interested parties?
Based on the answers to those questions, along with your objectives, you can find your way to the right path for SOC reporting. But don’t do it alone! We here at Bytechek have been dealing with SOC for years and we even participated in the development of the AICPA’s SOC 2 guide. We can help you navigate the journey and figure out how to make compliance suck less for your company.