What Is a SOC report & Why Is It Important?
Data breaches are on the rise. In Q2 2023, they increased by 156% globally compared to the previous quarter.
As a result, it’s more important than ever for your organization to earn customers’ trust.
That’s where System and Organization Controls (SOC) comes in. A SOC report is a way to prove to prospects that your organization has sufficient controls in place to protect their sensitive data.
Below we will cover what a SOC report is, the different types of SOC reports, and how to get one.
What is a SOC report?
A SOC report is generated by an independent audit of a company’s information security systems and the controls it has in place to secure those systems and the information stored, processed, and/or transmitted by them. Only a CPA or an organization accredited by the American Institute of Certified Public Accountants (AICPA) can conduct a SOC audit.
Aside from a few common criteria related to security, every SOC report is personalized to the specific company under audit. A SOC report may cover controls related to:
- Processing Integrity
- Financial reporting
That’s why no two SOC reports will look exactly alike.
SOC Audit: What It Is, How it Works & How to Prepare Your Service Organization
What is a SOC report used for?
A SOC report is used to verify the design and operating effectiveness of the controls a service organization has in place to securely handle customer data.
A prospective client may request a service organization get a SOC report as a condition for working together. This is a common practice among user entities, similar to asking for references before hiring an employee. A user entity is an organization that outsources a business function to, or otherwise partners with, a service organization.
Alternatively, a service organization might decide to pursue SOC compliance before anyone asks for it. This can help to attract potential customers by demonstrating that the company can be trusted.
Who needs a SOC report?
SOC is specifically designed to test the security of information systems. Therefore, individuals or companies that seek SOC compliance tend to be in the business of handling large amounts of information on behalf of other companies.
Examples include but are not limited to:
- Money managers
- Third-party software developers
- Staffing firms
- Marketing agencies
- Billing management platforms
- Trust companies
- Financial reporting software companies
- Cloud service providers
- HR management service organizations
- Recruitment platforms
- Host data centers
- SaaS providers
- Insurance claim processors
At Secureframe, we regularly seek SOC 2 compliance and include processing integrity within the scope of our audit to practice what we preach. As compliance automation professionals, we’re a prime example of a business that needs to build trust among our customer base.
SOC 2 Compliance: Requirements, Audit Process, and Benefits for Business Growth
What are the different types of SOC reports?
Each type of SOC report has a slightly different set of use cases.
As you’ll read in the next section, SOC 1® and SOC 2® are subdivided into Type 1 and Type 2. Both Type 1 and 2 refer to how the audit is conducted, while SOC 1, 2, and 3 refer to the subject matter of the SOC report.
A SOC 1 audit is for any organization that provides its clients with services related to financial reporting.
To put it another way: if anything a business does could impact a financial audit of one of that business’s clients, that business might need a SOC 1 report.
Examples include accountants, payroll processors, or tax preparation assistants.
Since CPAs manage SOC, and financial statements and other information is often the most sensitive, financial controls are an area of special interest. The SOC 1 process examines a company’s security and business processes, looking for any risks to users’ financial information.
A service auditor should also check to see if any risks that arise from the audited business could impact internal controls put in place by clients. You could have the best information security in the world, but that’s not worth much if you contract with third parties who don’t uphold the same standards.
SOC 1® Type 1 and 2
- SOC 1 Type 1: An audit that checks whether your systems are designed to achieve the proprietary criteria of SOC 1 (ie. the related control objectives included in the description) at a specific point in time to protect financial controls. Type 1 audits are relatively cheap and easy, but aren’t as thorough as Type 2s. Think of them as dipping your toes in the water: you get a feel for what an audit is like, but you’re not diving all the way in.
- SOC 1 Type 2: An audit that examines how your systems are designed AND whether the financial controls are implemented and effective over a specified period of time. A Type 2 report takes longer (between 3 and 12 months) because the auditor needs to run control tests on your information systems. Whereas Type 1 is like dipping your toes in the water, Type 2 is like going for a full swim.
SOC 2 is by far the most commonly sought form of SOC compliance. It’s for any organization providing third-party services that require customers to trust them with sensitive data. It’s particularly popular among software-as-a-service (SaaS) companies.
Instead of a pre-determined list of controls like those that make up most ISO criteria, SOC 2 is based on the “trust services criteria'' (TSC). This groups suggested controls under five categories:
- Processing integrity
The trust principles you select inform your attestation criteria. According to the AICPA, they should be relevant, objective, measurable, and complete.
The controls grouped under Security, known as the “common criteria,” are the only ones required to undergo a SOC 2 audit. Companies are asked to document their control environment, communication and information protocols, risk management and assessment processes, and how they implement and monitor controls.
All the others are optional, though most auditors will check on more than the bare minimum. Confidentiality and availability, while not required, are often included in scope. Privacy and processing integrity are generally included based on the nature of the organization’s systems and services. For example, if your system has a lot of sensitive personal data, you may want to consider privacy in scope. If your system processes a lot of data and/or has integrations, you may want to consider processing integrity.
SOC 2® Type 1 and 2
- SOC 2 Type 1: An audit that tests whether your controls are designed according to relevant trust services criteria at a single point in time. Since SOC 2 Type 1 audits and reports can be completed in a matter of weeks, they can help organizations that are short on time and resources to quickly prove to prospects that they’re secure.
- SOC 2 Type 2: An audit that examines whether your controls are designed according to relevant trust services criteria AND whether the controls are implemented and effective throughout a specified period of time. Since SOC 2 Type 2 reports cover the continuous functionality of controls in a range of time, Type 2 SOC reports are much more comprehensive than Type 1 reports and carry more weight with user entities.
A company that gets a SOC 2 audit usually provides some sort of B2B service or B2B2C service. However, since a SOC 2 report is not necessarily public knowledge (and isn’t easy for a non-professional to parse), the company might get a SOC 3® report instead.
A SOC 3 report is similar to a SOC 2, except it’s shorter and public. It’s a more digestible product that can be used for marketing or made available to customers for free. SOC 3 reports are an easy way to build trust among large groups of individuals.
What Is a SOC 3 Report & Do You Need One? [+ Example]
Other SOC engagements
The AICPA has added to its SOC suite of services over time. Let’s take a look at two recent developments below.
SOC for Cybersecurity
SOC for Cybersecurity is a reporting framework that assists organizations in communicating relevant and useful information about the effectiveness of their cybersecurity risk management programs.
A SOC for Cybersecurity examination and related report evaluates the design of an organizations' enterprise-wide cybersecurity risk management program based on the trust services criteria, or other suitable criteria such as ISO 27001 or NIST CSF, and whether they were effective in achieving the organization’s specified cybersecurity objectives.
While SOC 2 is best suited for service organizations, SOC for Cybersecurity is suited for virtually any type of organization.
The purpose of this type of examination and report is to provide general users, including the organization’s management, directors, investors, business partners, and other stakeholders, with information about the organization’s cybersecurity risk management program that helps inform their decision-making.
Like a SOC 3 report, a SOC for Cybersecurity report is appropriate for general use.
SOC for Supply Chain
SOC for Supply Chain is a reporting framework that helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks. Ultimately, the AICPA’s goal in developing this solution was to foster greater transparency in the supply chain.
Like SOC 2, a SOC for Supply Chain examination and related report evaluates the design of an organizations' controls based on the trust services criteria.
Unlike a SOC 2, SOC for Supply Chain is best suited for organizations that produce, manufacture, or distribute products. The purpose of this type of examination and report is to to help organizations and their customers and business partners identify, assess, and address the risks arising from business relationships with their suppliers.
|SOC Suite of Services||SOC 1||SOC 2||SOC 3||SOC for Cybersecurity||SOC for Supply Chain|
|Purpose||Provide specific users with information about controls relevant to user entities’ internal control over financial reporting||Provide specific users with information about controls related to security, availability, processing integrity, confidentiality or privacy||Provides general users with easy-to-read report on organization’s controls related to security, availability, processing integrity, confidentiality, or privacy||Provide general users with information about organization’s cybersecurity risk management program||Provide specific users with information about controls related to security, availability, processing integrity, confidentiality or privacy to better understand and manage supply chain risks|
|Applicable to||Service organizations that impact the financial operations of users||Service organizations||Service organizations||Any type of organization||Producers, manufacturers, and distributors|
|Intended users||User entities and their auditors||Management and specified parties, such as user entities||Prospects and any other users with need of assurance of service organization’s controls||Management, directors, investors, business partners and other stakeholders||Management, customers, business partners|
|Distribution||Restricted||Restricted||General audience||General audience||Restricted|
|Control criteria||Control objectives that address the services being provided||AICPA Trust Services Criteria||AICPA Trust Services Criteria||AICPA Trust Services Criteria (or other suitable criteria such as ISO 27001 or NIST CSF)||AICPA Trust Services Criteria|
|Contents of report||Description of system, management’s assertion, and CPA’s opinion (and Description of tests and results for Type 2)||Description of system, management’s assertion, and CPA’s opinion (and Description of tests and results for Type 2)||Management’s assertion and CPA’s opinion||Description of cybersecurity risk management program, management’s assertion, and CPA’s opinion||Description of the organization’s production, manufacturing, or distribution system, management’s assertion, CPA’s opinion, and Description of tests and results|
What are the contents of a SOC report?
While the contents of a SOC report vary depending on the type, most share common components of a SOC 2 Type 2 report.
The AICPA provides an illustrated example of a SOC report on its website. It runs 31 pages, a fairly typical length. A quick review of the contents reveals the following:
1. Opinion letter: A summary of the auditor’s (or practitioner’s) opinion, illustrating whether they think the target company passes inspection.
- An “unqualified opinion” is a pass with flying colors.
- A “qualified opinion” means the company is almost compliant, but one or more areas aren’t there yet.
- An “adverse opinion” is a failure. The company falls short in one or more non-negotiable areas.
- A “disclaimer of opinion” means the auditor doesn’t have enough evidence to support any of the first three options.
2. Management assertion: Summarizes what the managers of the company under audit told the auditor about their information security controls.
3. Description of systems: Explains what the company does and how they describe their own infrastructure. Note: This is not included in a SOC 3 report. In a SOC for Cybersecurity, a description of the organization’s cybersecurity risk management program is included instead.
4. Applicable criteria: Lists each internal control the company believed was applicable to their own services, alongside the results of tests of controls. Note: Control tests and results are not included in a SOC 1 Type 1, SOC 2 Type 2, SOC 3, or SOC for Cybersecurity.
5. Other information: Information provided by the company that the auditor determined not to be relevant.
Now that you have a better idea of what SOC reporting looks like, let’s walk through the process of getting one.
How to Write a SOC 2 System Description + Real Examples
How to Get a SOC Report
A SOC report is generated by a SOC audit conducted by a SOC analyst. This is usually a CPA or an AICPA-accredited organization. Before you invite an auditor to your office, your first step is to decide exactly what sort of SOC report you need.
Step 1: Choose a type of SOC report.
First, choose from among the three SOC categories in the previous section. They’re not mutually exclusive. In fact, some companies might seek all three.
Plenty of large corporations offer both financial and non-financial services and want to build trust among businesses and the public.
Say your company is a small startup that provides cloud services to larger businesses. Obviously, you would choose SOC 2.
Next, you’ll need to choose between a SOC 2 Type 1 report and Type 2 report. Choose based on your budget and the urgency of producing the certificate. Many organizations choose to start with a Type 1 audit and then use that report to undergo Type 2.
Step 2: Conduct a readiness assessment.
Next, conduct a readiness assessment. This is like studying for and taking a practice test — it ensures the auditor doesn’t catch you unprepared.
To do a readiness assessment, you have to get familiar with the trust services criteria.
Be able to answer questions like:
- “How is my system protected against attacks?” (Security)
- “How do we decide when to make data from the system available?” (Availability)
- “Does the system work the way it needs to?” (Processing integrity)
- “How do we ensure the system keeps private information away from unauthorized personnel?” (Privacy)
- “When information must be shared, what keeps the exchange secure?” (Confidentiality)
Consider every possible way the Trust Services Criteria might apply to your infrastructure. If you discover any areas in which your system falls short, determine what you need to do to become compliant. This is called a “gap analysis” — closing the gap between where your system is and where it needs to be.
Step 3: Prepare documentation for your auditor.
Next, document everything heavily. You should be able to look at a complete list of the TSC and immediately produce documentation explaining how your information security meets each criterion.
While the kind and amount of documentation required for compliance will vary depending on the type and scope of your audit, you will need to provide the following documents at a minimum:
- Management assertion
- System description
- Control matrix
Step 4: Pick your auditor.
Finally, decide who you want to serve as your third-party auditor. Pick a well-reviewed CPA or auditing firm that has experience in your industry. Or pick an auditor that is familiar with your compliance automation tool.
The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC report. If you get an unqualified opinion in your report, congratulations! If not, use the SOC report as lessons learned for closing gaps and try again for an improved report.
15+ Tips for Choosing an Auditor, According to Secureframe Audit Partners
How Secureframe can help you get the SOC report you need
Secureframe can not only help you decide what type of SOC report your business needs — we can also help you streamline the process.
By simplifying SOC 2 compliance through AI and automation, we save teams hundreds of hours and thousands of dollars spent writing security policies, collecting evidence, hiring security consultants, and performing readiness assessments. And because Secureframe continuously monitors your infrastructure and alerts you of vulnerabilities, you’ll be able to get and stay SOC compliant easier and faster.
Request a demo to learn more about how we can help you get the SOC report you need.
What does SOC stand for?
SOC stands for “System and Organization Controls,” Previously, it stood for “Service Organization Controls.”
What is a SOC report?
A service organization controls (SOC) report is an assessment of the controls put in place at a service organization to secure information and information systems.
What are the types of SOC?
There are five main types:
- SOC 1: Provides information about a service organization’s controls relevant to user entities’ internal control over financial reporting to specified parties
- SOC 2: Provides information about a service organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy to specified parties
- SOC 3: Provides information about a service organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy to general audience
- SOC for Cybersecurity: Provides information about a service organization’s cybersecurity risk management program to general audience
- SOC for Supply Chain: Provides information about a producer’s, manufacturer’s, and/or distributors’s controls relevant to security, availability, processing integrity, confidentiality, or privacy to specified parties
How long is a SOC report valid?
Technically, SOC reports don’t expire, but generally a SOC report is considered valid for one year following the date the report was issued. Any report that’s older than one year becomes “stale” and is of limited value to potential customers.
Because of this, the vast majority of service organizations renew their attestation report every year without any gaps.
How much does a SOC report cost?
Most companies can expect to spend between $20K-$100K to prepare for and complete a SOC audit and get their report. Get a more detailed breakdown of SOC 2 audit costs here.
However, many factors influence the typical SOC audit cost, including:
- Type of SOC audit
- Scope of your audit
- Size of your organization
- Complexity of your systems and internal control policies
- Outsourced services, like hiring a CPA firm to conduct audit preparation and readiness assessments
- Additional security tools and employee training you’ll need to close any gaps
Compliance automation software like Secureframe saves companies thousands of dollars and hundreds of hours preparing for and completing a SOC audit. Our platform’s built-in policy libraries, security training, and readiness assessments mean you’re not paying consultants.
It can also help you save your team’s productivity costs and get a SOC report faster by streamlining the compliance process and automatically collecting evidence for your auditor.
Are SOC reports mandatory?
SOC reports are not mandatory. However, they are increasingly considered table stakes for growing companies. Customers are looking for companies, small and large, that can protect the security and privacy of their data and interests. A SOC report is an ideal way to demonstrate a commitment to security and privacy, while helping companies unlock growth, expand into new markets, and accelerate revenue.
What is the difference between SOC and ISO 27001?
Given that they’re both standards for auditing information security protocols, SOC and ISO 27001 are often confused. If you’ve ever mixed them up, you’re not alone: ISO and SOC share almost all the same controls, varying by as little as 4%.
But they’re not identical. There are two key differences between SOC and ISO 27001:
- Type of security. SOC is a freeform set of standards that measure what your company is doing to protect client information. ISO 27001 has the same goal but a more restricted way of achieving it. To achieve ISO 27001 compliance, businesses must build and document an information security management system (ISMS). That’s a slightly more stringent standard, and a set of policies that are not required for SOC 2.
- Geographic area. SOC audits are better-known in North America and thus carry more weight. ISO 27001 is more popular outside of North America. This is almost always the deciding factor. Think of ISO 27001 as the metric system to SOC’s imperial system. Much of the world uses ISO 27001 while North America uses SOC.