Trish Bocutti author block

Service Organization Controls (SOC) reports are designed to help service organizations provide customers with a higher level of comfort regarding the security of their data. While these reports are only mandatory for some organizations, such as ISVs whose software or services affect the financials of a company, all partners who are not required to conduct SOC reports may want to do so anyway.

Why SOC reports matter

Produced by independent, third party CPAs (Certified Public Accountants), SOC reports can help you give your customers added trust in your software or service delivery, as well as more control over the information and data your organization provides.

SOC reporting is relevant for service organizations that operate information systems and provide information system services to user companies. These reports help build trust and confidence in those service delivery processes and controls, including how these controls may impact the generation of financial statements in the user company being reviewed.

As your customer moves into a cloud-based environment, it’s common for them to be unsure about what controls they must maintain themselves and what controls will be managed by the software or cloud vendor. For example, a software as a service (SaaS) provider must provide reasonable assurance that transactions posted in the system are accurate, valid, and complete. The customer is responsible for having controls in place to make sure the data is authorized, accurate, and complete.

It’s also common for customers to experience some confusion around what audit reports might be necessary to meet their requirements. Using SOC reports can help you show your customer that you understand their business needs and demonstrate your understanding of their audit and reporting requirements. As an added bonus, describing and reviewing possible SOC needs upfront, before the customers may even know of their need, can help identify you, the partner, as a clear leader in the cloud software world, differentiating you from other, less-educated partners.

Three types of SOC reports

SOC reports come in three forms, depending on to whom the service organization is distributing the reports and what service is being provided. Because each type serves a different purpose, you should know which SOC you need to meet your and your customers’ business goals.

Here’s a quick break down of the differences between the SOC report types:

Service Organization Controls 1 reports

Who is it for?

SOC 1 reports are intended for service organization users and their auditors only.

What does it cover?

SOC 1 reports focus on the effect a service organization has on the user’s release of financial statements, specifically the Internal Control over Financial Reporting, more commonly known as the ICFR.

There are two types of SOC 1 reports, both based on the service organization’s system as it pertains to what the system is supposed to do. Type 1 is a specific snapshot in a period of time; Type 2 reviews controls over a period of time.

TYPE 1 reports answer the question:

  •  How does the control design suit the stated control objectives as of a specific date?

This includes a review of the design of the controls.

TYPE 2 reports answer the questions:

  • How does the control design suit the stated control objectives?
  • What is the effectiveness of the controls?
  • Explicitly, during a specified period, are the controls functioning as designed?

Is it required?

SOC 1 reports can be necessary in meeting compliance requirements for the user.

Service Organization Controls 2 reports

Who is it for?

SOC 2s are for partners who provide data centers, IT managed services, SaaS, and cloud-computing businesses. These reports are made for distribution to a restricted list, usually including the user’s auditors, managers, regulators, business partners and any stakeholder the user’s managers or auditors deem necessary.

What does it cover?

The review is not necessarily focused around the impact the partner’s services have on financial reporting. Instead, the SOC 2 report reviews the information system on five criteria known as the Trust Services Principles:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Similar to the SOC 1 reports, there are two versions of the SOC 2 reports, Type 1 and Type 2. Type 1 is a specific snapshot in a period of time; Type 2 reviews controls over a period of time.

Is it required?

While not required to meet compliance regulations, SOC 2 reports help create trust and establish a partner’s credentials for providing financial services. Security trends are top of mind for our customers, and having a solid SOC 2 report can demonstrate your commitment and competency when it comes to securing their data.

Service Organization Controls 3 reports

Who is it for?

SOC 3 reports can be distributed freely to anyone.

What does it cover?

SOC 3 reports show potential customers the capability of the service provider’s controls to manage risk. While they’re based on the same principles outlined in a SOC 2 report, SOC 3s are generally less detailed, easier to read, and require less understanding of the auditing process in general.

Is it required?

These reports are not required, but like the SOC 2 reports, they can convey important information to customers regarding the safety of their organization’s data. And because the SOC 3s are designed for a wider audience, they can be much easier for decision-makers without a financial background to consume.

There is still a lot of uncertainty out there about security in the cloud. As our customers increasingly consider a move to the cloud, providing them with assurance that their information will be secure and compliance requirements will be met is crucial. Knowing the partner they’re working with—you—has the necessary expertise to protect their data may give them the peace of mind to feel confident about their transition to the cloud.

To learn more about SOC reports and determine which reports you should be offering, visit the American Institute of Certified Public Accountants and the Public Company Accounting Oversight Board.

5-26_Trish_CTA1 5-26_Trish_CTA2 5-26_Trish_CTA3