In the first quarter of 2025, organizations experienced nearly 2,000 cyber attacks per week, which is a 47%  increase from the same period last year.

With cyber attacks increasing at an alarming rate, it’s more important than ever for organizations to implement robust security measures and demonstrate that commitment to security, particularly to Fortune 500 and enterprise clients.

That’s where System and Organization Controls (SOC) comes in. A SOC report is a way to prove to customers and prospects that your organization has sufficient controls in place to protect their sensitive data.

Below we will cover what a SOC report is, the different types of SOC reports, and how to get one.

What is a SOC report?

A SOC report is generated by an independent audit of a company’s information security systems and the controls it has in place to secure those systems and the information stored, processed, and/or transmitted by them. Only a CPA or an organization accredited by the American Institute of Certified Public Accountants (AICPA) can conduct a SOC audit.

Aside from a few common criteria related to security, every SOC report is personalized to the specific company under audit. A SOC report may cover controls related to:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
• Financial reporting
• Cybersecurity
• Supply chain security

That’s why no two SOC reports will look exactly alike.

What is the purpose of a SOC report?

The main purpose of a SOC report is to verify the design and operating effectiveness of the controls a service organization has in place for handling sensitive data, financial transactions, cybersecurity risks, or supply chain operations.

While the scope and audience may differ depending on the type of SOC report, the reasons for getting one are similar and often include:

• Building trust with customers and partners: A SOC report shows that your organization takes security and compliance seriously, helping you earn trust with current customers and attract new ones. This is particularly important in industries where data protection is critical, like SaaS and banking, and when moving upmarket. 
• Meeting customer and regulatory requirements: SOC reports provide third-party assurance that your controls are effective, which can be crucial for meeting customer and industry expectations especially if working in finance, healthcare, or government. SOC compliance can also help you comply with other frameworks with common controls like HIPAA, ISO 27001, or NIST 800-53.
• Accelerating sales and reducing friction: SOC reports reduce the need for lengthy security questionnaires or other due diligence. By giving customers the confidence to move forward without additional due diligence, a SOC report can help unblock stalled deals and speed up procurement.
• Gaining a competitive advantage: Having a SOC report signals organizational maturity and security readiness, helping you stand out in crowded markets or compete with larger vendors during RFP processes.
• Entering new markets or industries: A SOC report can be the key to expanding upmarket or in new, international markets with high security expectations, particularly in fintech, healthcare, SaaS, and supply chain operations.
• Improving internal controls and operations: Preparing for a SOC audit often leads to better documentation, stronger onboarding and offboarding processes, and more consistent application of security best practices across the business.
• Fostering a culture of security: Pursuing a SOC report increases security awareness across your teams and reinforces a proactive approach to risk management, making compliance part of day-to-day operations rather than an afterthought.

Who needs a SOC report?

SOC is specifically designed to test the security of information systems. Therefore, individuals or companies that seek SOC compliance tend to be in the business of handling large amounts of information on behalf of other companies.

Examples include but are not limited to:

• Accountants
• Money managers
• Third-party software developers
• Staffing firms
• Marketing agencies
• Billing management platforms
• Trust companies
• Financial reporting software companies
• Cloud service providers
• HR management service organizations
• Recruitment platforms
• Host data centers
• SaaS providers
• Insurance claim processors

At Secureframe, we regularly seek SOC 2 compliance and include processing integrity within the scope of our audit to practice what we preach. As compliance automation professionals, we’re a prime example of a business that needs to build trust among our customer base. 

What are the different types of SOC reports?

The most common types of SOC reports are SOC 1, 2, and 3. Each type has a slightly different purpose and intended audience. 

As you’ll read in the next section, SOC 1® and SOC 2® are subdivided into Type 1 and Type 2. Both Type 1 and 2 refer to how the audit is conducted, while SOC 1, 2, and 3 refer to the subject matter of the SOC report.

SOC 1®

A SOC 1 audit is for any organization that provides its clients with services related to financial reporting.

To put it another way: if anything a business does could impact a financial audit of one of that business’s clients, that business might need a SOC 1 report. 

Examples include accountants, payroll processors, or tax preparation assistants.

Since CPAs manage SOC, and financial statements and other information is often the most sensitive, financial controls are an area of special interest. The SOC 1 process examines a company’s security and business processes, looking for any risks to users’ financial information.

A service auditor should also check to see if any risks that arise from the audited business could impact internal controls put in place by clients. You could have the best information security in the world, but that’s not worth much if you contract with third parties who don’t uphold the same standards.

SOC 1® Type 1 and 2

There are two types of SOC 1 reports:

• SOC 1 Type 1: An audit that checks whether your systems are designed to achieve the proprietary criteria of SOC 1 (ie. the related control objectives included in the description) at a specific point in time to protect financial controls. Type 1 audits are relatively cheap and easy, but aren’t as thorough as Type 2s. Think of them as dipping your toes in the water: you get a feel for what an audit is like, but you’re not diving all the way in.
• SOC 1 Type 2: An audit that examines how your systems are designed AND whether the financial controls are implemented and effective over a specified period of time. A Type 2 report takes longer (between 3 and 12 months) because the auditor needs to run control tests on your information systems. Whereas Type 1 is like dipping your toes in the water, Type 2 is like going for a full swim.

SOC 2®

SOC 2 is by far the most commonly sought form of SOC compliance. It’s for any organization providing third-party services that require customers to trust them with sensitive data. It’s particularly popular among software-as-a-service (SaaS) companies.

SOC 2 is based on five trust services criteria' (TSC):

1. Security 
2. Privacy 
3. Confidentiality 
4. Availability 
5. Processing integrity

An organization selects the TSC that apply to them and then designs a system of internal controls that support their selected TSC. Depending on how many criteria they include in their audit, an organization may need to put between 70 to 150 controls in place and provide documentation and evidence for them. This is why SOC 2 is considered a more flexible security framework than a framework like ISO 27001 framework, which prescribes a pre-determined list of controls for meeting its requirements. 

The Security TSC, also known as the “common criteria,” is the only required criteria to undergo a SOC 2 audit. Companies are asked to document their control environment, communication and information protocols, risk management and assessment processes, and how they implement and monitor controls. 

All the other TSC are optional, though most auditors will check on more than the bare minimum. Confidentiality and availability, while not required, are often included in scope. Privacy and processing integrity are generally included based on the nature of the organization’s systems and services. For example, if your system has a lot of sensitive personal data, you may want to consider privacy in scope. If your system processes a lot of data and/or has integrations, you may want to consider processing integrity. 

SOC 2® Type 1 and 2

There are two types of SOC 2 reports:

• SOC 2 Type 1: An audit that tests whether your controls are designed according to relevant trust services criteria at a single point in time. Since SOC 2 Type 1 audits and reports can be completed in a matter of weeks, they can help organizations that are short on time and resources to quickly prove to prospects that they’re secure. This Secureframe customer got their SOC 2 Type 1 report in six days. 
• SOC 2 Type 2: An audit that examines whether your controls are designed according to relevant trust services criteria AND whether the controls are implemented and effective throughout a specified period of time. Since SOC 2 Type 2 reports cover the continuous functionality of controls in a range of time, Type 2 SOC reports are much more comprehensive than Type 1 reports and carry more weight with user entities. For example, Formsort got SOC 2 Type II compliant to move upmarket and build trust with enterprise customers.

SOC 3®

A company that gets a SOC 2 audit usually provides some sort of B2B service or B2B2C service. However, since a SOC 2 report is not necessarily public knowledge (and isn’t easy for a non-professional to parse), the company might get a SOC 3® report.

A SOC 3 report is similar to a SOC 2, except it’s shorter and public. As a more digestible product that can be used for marketing or sales and made available to customers for free, SOC 3 reports are an easy way to build trust among large groups of individuals.

Other SOC engagements

The AICPA has added to its SOC suite of services over time. Let’s take a look at two recent developments below.

SOC for Cybersecurity

SOC for Cybersecurity is a reporting framework that assists organizations in communicating relevant and useful information about the effectiveness of their cybersecurity risk management programs.

A SOC for Cybersecurity examination and related report evaluates the design of an organizations' enterprise-wide cybersecurity risk management program based on the trust services criteria, or other suitable criteria such as ISO 27001 or NIST CSF, and whether they were effective in achieving the organization’s specified cybersecurity objectives.

While SOC 2 is best suited for service organizations, SOC for Cybersecurity is suited for virtually any type of organization.

The purpose of this type of examination and report is to provide general users, including the organization’s management, directors, investors, business partners, and other stakeholders, with information about the organization’s cybersecurity risk management program that helps inform their decision-making.

Like a SOC 3 report, a SOC for Cybersecurity report is appropriate for general use.

SOC for Supply Chain

SOC for Supply Chain is a reporting framework that helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks. Ultimately, the AICPA’s goal in developing this solution was to foster greater transparency in the supply chain.

Like SOC 2, a SOC for Supply Chain examination and related report evaluates the design of an organizations' controls based on the trust services criteria.

Unlike a SOC 2, SOC for Supply Chain is best suited for organizations that produce, manufacture, or distribute products. The purpose of this type of examination and report is to to help organizations and their customers and business partners identify, assess, and address the risks arising from business relationships with their suppliers.

Now that we have a basic understanding of the different types of SOC reports, let’s take a closer look at the use case for each. 

How to know which SOC report you need

Choosing the right SOC report depends on your services, your customers’ expectations, and your organization’s risk environment. While SOC 1, SOC 2, and SOC 3 are the most commonly requested, newer reporting frameworks like SOC for Cybersecurity and SOC for Supply Chain address growing concerns around digital risk and transparency in product development.

Below, we break down the major use case for each report to help you determine the best fit for your business.

SOC 1: For financial reporting impact

Best suited for: Organizations that provide services that could affect a client’s financial reporting, like payroll processing, claims administration, or accounting software.

Most likely requested by: Because these reports focus on internal controls over financial reporting, they are typically requested by customer auditors or finance teams to support their own audit processes for frameworks like SOX.

Which type you need: 

• A SOC 1 Type 1 report is ideal if your organization is short on time or resources and needs to quickly show your financial controls are properly designed at a specific point in time.
• A SOC 1 Type 2 report is ideal for more mature organizations that have the time and resources to prove that those controls are not only designed effectively but also operating as intended over a period of time.

SOC 2: For data security and trust

Best suited for: SOC 2 is the most popular type of SOC report for cloud service providers, SaaS companies, and any third-party vendor that handles sensitive customer information. SOC 2 is often seen as a benchmark for security-conscious B2B vendors and a requirement for growing companies in competitive markets.

Most likely requested by: Customers that trust your business to handle sensitive data will often request a SOC 2 report as part of due diligence and vendor risk management.

Which type you need: 

• A SOC 2 Type 1 report is ideal if you’re a startup or smaller organization that needs to show your security controls are well designed at a single point in time to help close deals fast or differentiate yourself from early-stage competitors. Here’s an example. Here’s an example.
• A SOC 2 Type 2 report is ideal if your organization has enterprise prospects or customers that want proof of both the design and operating effectiveness of those controls over a period of time. Here’s an example. 

SOC 3: For general, public-facing assurance

Best suited for: Organizations that want to signal their commitment to security and transparency to a broader, non-technical audience. A SOC 3 report can be posted on a website and/or shared widely with stakeholders without requiring them to sign an NDA.

Most likely requested by: This may be requested by an internal stakeholder or suggested by the auditor if you’re already undergoing a SOC 2 audit and would benefit from a version of the report for marketing or sales. 

SOC for Cybersecurity: For enterprise-wide risk reporting

Best suited for: Any organization (not just service providers) that wants to communicate the effectiveness of its cybersecurity risk management program to internal or external stakeholders, including boards of directors, investors, or customers in highly regulated industries.

Most likely requested by: Internal or external stakeholders may request this report if your organization is undergoing a digital transformation, operating in high-risk industries, or preparing for IPO or acquisition.

SOC for Supply Chain: For product and sourcing transparency

Best suited for: Manufacturers, distributors, and producers who want to provide transparency around their production or sourcing practices.

Most likely requested by: Customers or business partners that rely on your organization to deliver secure, consistent, and ethically sourced products, especially for industries like healthcare, energy, defense, and consumer goods.

If you're still not certain which SOC report your organization needs, you're not alone. Many companies fall into multiple categories or need to meet the expectations of different stakeholders, from customers to auditors to the board. 

Our team can provide a personalized assessment to ensure you select the right report—just fill out this form.  

What are the contents of a SOC report?

While the contents of a SOC report vary depending on the type, most share common components of a SOC 2 Type 2 report.

Below are the key components based on the illustrated example of a SOC 2 Type 2 report provided by the AICPA on its website. It runs 31 pages, a fairly typical length. 

1. Opinion letter: A summary of the auditor’s (or practitioner’s) opinion, illustrating whether they think the target company passes inspection.

• An “unqualified opinion” is a pass with flying colors.
• A “qualified opinion” means the company is almost compliant, but one or more areas aren’t there yet.
• An “adverse opinion” is a failure. The company falls short in one or more non-negotiable areas.
• A “disclaimer of opinion” means the auditor doesn’t have enough evidence to support any of the first three options.

2. Management assertion: Summarizes what the managers of the company under audit told the auditor about their information security controls.

3. System description: Explains what the company does and how they describe their own infrastructure. Note: This is not included in a SOC 3 report. In a SOC for Cybersecurity, a description of the organization’s cybersecurity risk management program is included instead.

4. Applicable criteria: Lists each internal control the company believed was applicable to their own services, alongside the results of tests of controls. Note: Control tests and results are not included in a SOC 1 Type 1, SOC 2 Type 2, SOC 3, or SOC for Cybersecurity.

5. Other information: Information provided by the company that the auditor determined not to be relevant.

Now that you have a better idea of what SOC reporting looks like, let’s walk through the process of getting one. 

How to Get a SOC Report

A SOC report is generated by a SOC audit conducted by a SOC analyst. This is usually a CPA or an AICPA-accredited organization. Before you invite an auditor to your office, you need to complete some readiness work. 

Here is a high-level overview of the steps you need to complete to get a SOC report.

Step 1: Choose a type of SOC report.

First, choose a type of SOC report based on the specified use case from the previous section. 

Say your company is a small startup that provides cloud services to larger businesses. Then you would choose SOC 2. 

Next, you’ll need to choose between a SOC 2 Type 1 report and Type 2 report. Choose based on your budget and the urgency of producing the certificate. Many organizations choose to start with a Type 1 audit and then use that report to undergo Type 2.

It’s important to understand that the five types of SOC reports are not mutually exclusive. In fact, some companies might seek multiple. Plenty of large corporations offer both financial and non-financial services and want to build trust among businesses and the public. For them, pursuing SOC 1, 2, and 3 reports might offer the most benefits.

Step 2: Conduct a readiness assessment.

Next, conduct a readiness assessment. This is like studying for and taking a practice test — it ensures the auditor doesn’t catch you unprepared.

To do a readiness assessment, you have to get familiar with the trust services criteria. 

Be able to answer questions like:

• “How is my system protected against attacks?” (Security)
• “How do we decide when to make data from the system available?” (Availability)
• “Does the system work the way it needs to?” (Processing integrity)
• “How do we ensure the system keeps private information away from unauthorized personnel?” (Privacy)
• “When information must be shared, what keeps the exchange secure?” (Confidentiality)

Consider every possible way the Trust Services Criteria might apply to your infrastructure. If you discover any areas in which your system falls short, determine what you need to do to become compliant. This is called a “gap analysis” — closing the gap between where your system is and where it needs to be.

Step 3: Prepare documentation for your auditor.

Next, document everything heavily. You should be able to look at a complete list of the TSC and immediately produce documentation explaining how your information security meets each criterion.

While the kind and amount of documentation required for compliance will vary depending on the type and scope of your audit, you will need to provide the following documents at a minimum:

• Management assertion
• System description
• Control matrix
• Policies

Step 4: Pick your auditor. 

Finally, decide who you want to serve as your third-party auditor. Pick a well-reviewed CPA or auditing firm that has experience in your industry. Or pick an auditor that is familiar with your compliance automation tool.

The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC report. If you get an unqualified opinion in your report, congratulations! 

If not, use the SOC report as lessons learned for closing gaps and try again for an improved report.

How Secureframe can help you get the SOC report you need

Secureframe can not only help you decide what type of SOC report your business needs — we can also help you streamline the process. 

By simplifying SOC 2 compliance through AI and automation, we save teams hundreds of hours and thousands of dollars spent writing security policies, collecting evidence, hiring security consultants, and performing readiness assessments. And because Secureframe continuously monitors your infrastructure and alerts you of vulnerabilities, you’ll be able to get and stay SOC compliant easier and faster. 

In a recent survey of more than 160 small businesses, 81% of organizations said they were able to prepare for and complete audits at least 25% faster when using Secureframe. In fact, 32% prepared for and completed an audit in less than half the time. 86% also said they were able to reduce time and effort maintaining compliance. 

Request a demo to learn more about how we can help you get the SOC report you need in less time.