Data breaches are on the rise. In Q2 2023, they increased by 156% globally compared to the previous quarter. 

As a result, it’s more important than ever for your organization to earn customers’ trust.

That’s where System and Organization Controls (SOC) comes in. A SOC report is a way to prove to prospects that your organization has sufficient controls in place to protect their sensitive data.

Below we will cover what a SOC report is, the different types of SOC reports, and how to get one.

What is a SOC report?

A SOC report is generated by an independent audit of a company’s information security systems and the controls it has in place to secure those systems and the information stored, processed, and/or transmitted by them. Only a CPA or an organization accredited by the American Institute of Certified Public Accountants (AICPA) can conduct a SOC audit.

Aside from a few common criteria related to security, every SOC report is personalized to the specific company under audit. A SOC report may cover controls related to:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
• Financial reporting
• Cybersecurity

That’s why no two SOC reports will look exactly alike.

What is a SOC report used for?

A SOC report is used to verify the design and operating effectiveness of the controls a service organization has in place to securely handle customer data. 

A prospective client may request a service organization get a SOC report as a condition for working together. This is a common practice among user entities, similar to asking for references before hiring an employee. A user entity is an organization that outsources a business function to, or otherwise partners with, a service organization.

Alternatively, a service organization might decide to pursue SOC compliance before anyone asks for it. This can help to attract potential customers by demonstrating that the company can be trusted.

Who needs a SOC report?

SOC is specifically designed to test the security of information systems. Therefore, individuals or companies that seek SOC compliance tend to be in the business of handling large amounts of information on behalf of other companies.

Examples include but are not limited to:

• Accountants
• Money managers
• Third-party software developers
• Staffing firms
• Marketing agencies
• Billing management platforms
• Trust companies
• Financial reporting software companies
• Cloud service providers
• HR management service organizations
• Recruitment platforms
• Host data centers
• SaaS providers
• Insurance claim processors

At Secureframe, we regularly seek SOC 2 compliance and include processing integrity within the scope of our audit to practice what we preach. As compliance automation professionals, we’re a prime example of a business that needs to build trust among our customer base. 

What are the different types of SOC reports?

Each type of SOC report has a slightly different set of use cases. 

As you’ll read in the next section, SOC 1® and SOC 2® are subdivided into Type 1 and Type 2. Both Type 1 and 2 refer to how the audit is conducted, while SOC 1, 2, and 3 refer to the subject matter of the SOC report.

SOC 1®

A SOC 1 audit is for any organization that provides its clients with services related to financial reporting.

To put it another way: if anything a business does could impact a financial audit of one of that business’s clients, that business might need a SOC 1 report. 

Examples include accountants, payroll processors, or tax preparation assistants.

Since CPAs manage SOC, and financial statements and other information is often the most sensitive, financial controls are an area of special interest. The SOC 1 process examines a company’s security and business processes, looking for any risks to users’ financial information.

A service auditor should also check to see if any risks that arise from the audited business could impact internal controls put in place by clients. You could have the best information security in the world, but that’s not worth much if you contract with third parties who don’t uphold the same standards.

SOC 1® Type 1 and 2

• SOC 1 Type 1: An audit that checks whether your systems are designed to achieve the proprietary criteria of SOC 1 (ie. the related control objectives included in the description) at a specific point in time to protect financial controls. Type 1 audits are relatively cheap and easy, but aren’t as thorough as Type 2s. Think of them as dipping your toes in the water: you get a feel for what an audit is like, but you’re not diving all the way in.
• SOC 1 Type 2: An audit that examines how your systems are designed AND whether the financial controls are implemented and effective over a specified period of time. A Type 2 report takes longer (between 3 and 12 months) because the auditor needs to run control tests on your information systems. Whereas Type 1 is like dipping your toes in the water, Type 2 is like going for a full swim.

SOC 2®

SOC 2 is by far the most commonly sought form of SOC compliance. It’s for any organization providing third-party services that require customers to trust them with sensitive data. It’s particularly popular among software-as-a-service (SaaS) companies.

Instead of a pre-determined list of controls like those that make up most ISO criteria, SOC 2 is based on the “trust services criteria'' (TSC). This groups suggested controls under five categories: 

1. Security 
2. Privacy 
3. Confidentiality 
4. Availability 
5. Processing integrity

The trust principles you select inform your attestation criteria. According to the AICPA, they should be relevant, objective, measurable, and complete.

The controls grouped under Security, known as the “common criteria,” are the only ones required to undergo a SOC 2 audit. Companies are asked to document their control environment, communication and information protocols, risk management and assessment processes, and how they implement and monitor controls. 

All the others are optional, though most auditors will check on more than the bare minimum. Confidentiality and availability, while not required, are often included in scope. Privacy and processing integrity are generally included based on the nature of the organization’s systems and services. For example, if your system has a lot of sensitive personal data, you may want to consider privacy in scope. If your system processes a lot of data and/or has integrations, you may want to consider processing integrity. 

SOC 2® Type 1 and 2

• SOC 2 Type 1: An audit that tests whether your controls are designed according to relevant trust services criteria at a single point in time. Since SOC 2 Type 1 audits and reports can be completed in a matter of weeks, they can help organizations that are short on time and resources to quickly prove to prospects that they’re secure.
• SOC 2 Type 2: An audit that examines whether your controls are designed according to relevant trust services criteria AND whether the controls are implemented and effective throughout a specified period of time. Since SOC 2 Type 2 reports cover the continuous functionality of controls in a range of time, Type 2 SOC reports are much more comprehensive than Type 1 reports and carry more weight with user entities.

SOC 3®

A company that gets a SOC 2 audit usually provides some sort of B2B service or B2B2C service. However, since a SOC 2 report is not necessarily public knowledge (and isn’t easy for a non-professional to parse), the company might get a SOC 3® report instead.

A SOC 3 report is similar to a SOC 2, except it’s shorter and public. It’s a more digestible product that can be used for marketing or made available to customers for free. SOC 3 reports are an easy way to build trust among large groups of individuals.

Other SOC engagements

The AICPA has added to its SOC suite of services over time. Let’s take a look at two recent developments below.

SOC for Cybersecurity

SOC for Cybersecurity is a reporting framework that assists organizations in communicating relevant and useful information about the effectiveness of their cybersecurity risk management programs.

A SOC for Cybersecurity examination and related report evaluates the design of an organizations' enterprise-wide cybersecurity risk management program based on the trust services criteria, or other suitable criteria such as ISO 27001 or NIST CSF, and whether they were effective in achieving the organization’s specified cybersecurity objectives.

While SOC 2 is best suited for service organizations, SOC for Cybersecurity is suited for virtually any type of organization.

The purpose of this type of examination and report is to provide general users, including the organization’s management, directors, investors, business partners, and other stakeholders, with information about the organization’s cybersecurity risk management program that helps inform their decision-making.

Like a SOC 3 report, a SOC for Cybersecurity report is appropriate for general use.

SOC for Supply Chain

SOC for Supply Chain is a reporting framework that helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks. Ultimately, the AICPA’s goal in developing this solution was to foster greater transparency in the supply chain.

Like SOC 2, a SOC for Supply Chain examination and related report evaluates the design of an organizations' controls based on the trust services criteria.

Unlike a SOC 2, SOC for Supply Chain is best suited for organizations that produce, manufacture, or distribute products. The purpose of this type of examination and report is to to help organizations and their customers and business partners identify, assess, and address the risks arising from business relationships with their suppliers.

What are the contents of a SOC report?

While the contents of a SOC report vary depending on the type, most share common components of a SOC 2 Type 2 report.

The AICPA provides an illustrated example of a SOC report on its website. It runs 31 pages, a fairly typical length. A quick review of the contents reveals the following:

1. Opinion letter: A summary of the auditor’s (or practitioner’s) opinion, illustrating whether they think the target company passes inspection.

• An “unqualified opinion” is a pass with flying colors.
• A “qualified opinion” means the company is almost compliant, but one or more areas aren’t there yet.
• An “adverse opinion” is a failure. The company falls short in one or more non-negotiable areas.
• A “disclaimer of opinion” means the auditor doesn’t have enough evidence to support any of the first three options.

2. Management assertion: Summarizes what the managers of the company under audit told the auditor about their information security controls.

3. Description of systems: Explains what the company does and how they describe their own infrastructure. Note: This is not included in a SOC 3 report. In a SOC for Cybersecurity, a description of the organization’s cybersecurity risk management program is included instead.

4. Applicable criteria: Lists each internal control the company believed was applicable to their own services, alongside the results of tests of controls. Note: Control tests and results are not included in a SOC 1 Type 1, SOC 2 Type 2, SOC 3, or SOC for Cybersecurity.

5. Other information: Information provided by the company that the auditor determined not to be relevant.

Now that you have a better idea of what SOC reporting looks like, let’s walk through the process of getting one. 

How to Get a SOC Report

A SOC report is generated by a SOC audit conducted by a SOC analyst. This is usually a CPA or an AICPA-accredited organization. Before you invite an auditor to your office, your first step is to decide exactly what sort of SOC report you need.

Step 1: Choose a type of SOC report.

First, choose from among the three SOC categories in the previous section. They’re not mutually exclusive. In fact, some companies might seek all three. 

Plenty of large corporations offer both financial and non-financial services and want to build trust among businesses and the public.

Say your company is a small startup that provides cloud services to larger businesses. Obviously, you would choose SOC 2. 

Next, you’ll need to choose between a SOC 2 Type 1 report and Type 2 report. Choose based on your budget and the urgency of producing the certificate. Many organizations choose to start with a Type 1 audit and then use that report to undergo Type 2.

Step 2: Conduct a readiness assessment.

Next, conduct a readiness assessment. This is like studying for and taking a practice test — it ensures the auditor doesn’t catch you unprepared.

To do a readiness assessment, you have to get familiar with the trust services criteria. 

Be able to answer questions like:

• “How is my system protected against attacks?” (Security)
• “How do we decide when to make data from the system available?” (Availability)
• “Does the system work the way it needs to?” (Processing integrity)
• “How do we ensure the system keeps private information away from unauthorized personnel?” (Privacy)
• “When information must be shared, what keeps the exchange secure?” (Confidentiality)

Consider every possible way the Trust Services Criteria might apply to your infrastructure. If you discover any areas in which your system falls short, determine what you need to do to become compliant. This is called a “gap analysis” — closing the gap between where your system is and where it needs to be.

Step 3: Prepare documentation for your auditor.

Next, document everything heavily. You should be able to look at a complete list of the TSC and immediately produce documentation explaining how your information security meets each criterion.

While the kind and amount of documentation required for compliance will vary depending on the type and scope of your audit, you will need to provide the following documents at a minimum:

• Management assertion
• System description
• Control matrix
• Policies

Step 4: Pick your auditor. 

Finally, decide who you want to serve as your third-party auditor. Pick a well-reviewed CPA or auditing firm that has experience in your industry. Or pick an auditor that is familiar with your compliance automation tool.

The auditor will spend anywhere from a few weeks to several months working with your team before producing a SOC report. If you get an unqualified opinion in your report, congratulations! If not, use the SOC report as lessons learned for closing gaps and try again for an improved report.

How Secureframe can help you get the SOC report you need

Secureframe can not only help you decide what type of SOC report your business needs — we can also help you streamline the process. 

By simplifying SOC 2 compliance through AI and automation, we save teams hundreds of hours and thousands of dollars spent writing security policies, collecting evidence, hiring security consultants, and performing readiness assessments. And because Secureframe continuously monitors your infrastructure and alerts you of vulnerabilities, you’ll be able to get and stay SOC compliant easier and faster. 

Request a demo to learn more about how we can help you get the SOC report you need.