What’s The Difference Between SOC 1, SOC 2, and SOC 3?

by Joseph Kirkpatrick / August 16th, 2017

When it comes to SOC (System and Organization Controls) reports, there are three different SOC report types: SOC 1, SOC 2, and SOC 3. When considering which report fits your organization’s needs, you must first understand what your clients require of you and then consider the areas of internal control over financial reporting (ICFR), the Trust Services Criteria, and restricted use. Each SOC report type fulfills a different purpose, and organizations should understand which report will best meet their needs before embarking on the SOC audit process.

SOC 1 vs. SOC 2 vs. SOC 3

The System and Organization Controls were developed by the American Institute of CPAs (AICPA). In the context of SOC reports, internal controls are procedures designed to ensure compliance with policies relevant to company operations, laws and regulations, and financial reporting. Following an audit of internal controls by a licensed CPA, the auditor writes a SOC report service users can rely on to provide an accurate assessment of the auditee’s controls.

There are three different SOC report types, although, in most cases, organizations choose between a SOC 1 and SOC 2 report. Both result from an audit of internal controls, although they focus on different aspects of those controls. In a nutshell, SOC 1 focuses on internal controls relevant to a service user’s financial statements, whereas SOC 2 reports on controls relevant to various aspects of information security.

What Is a SOC 1 Report?

SOC 1 engagements are based on the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

What Is a SOC 2 Report?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organization. The SOC 2 report was designed to determine if service organizations are compliant with the following categories: security, availability, processing integrity, confidentiality, and privacy, which are also known as the Trust Services Criteria. These principles address internal controls unrelated to ICFR.

What Is a SOC 3 Report?

A SOC 3 report, just like a SOC 2, is based on the Trust Services Criteria, but there’s a major difference between these types of reports: restricted use. A SOC 3 report can be freely distributed, whereas SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 does not give a description of the service organization’s system, but it can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as it relates to the Trust Services Criteria.

In addition to these distinctions, organizations can also choose between Type I and Type II SOC reports. We explain the distinction in greater depth in What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

When trying to determine whether your service organization needs a SOC 1, SOC 2, or SOC 3 audit, keep these requirements in mind:

• Could your service organization affect a client’s financial reporting? A SOC 1 would apply to you.
• Does your service organization want to be evaluated on the Trust Service Criteria? SOC 2 and SOC 3 reports would work.
• Does restricted use affect your decision? SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 report can be freely distributed and used in many different applications.

Each of these reports must be issued by a licensed CPA firm, such as KirkpatrickPrice. We offer SOC 1, SOC 2, and SOC 3 engagements. To learn more about KirkpatrickPrice’s SOC services, contact us today.

What is the difference between SOC 1, SOC 2, and SOC 3 reports? SOC reports are Service Organization Control reports.

SOC 1 reports work off of the SSAE 16 (now SSAE 18), which is about internal control over financial reporting. As a service organization, you may affect your user organization’s financial reporting. If so, a SOC 1 is the one for you.
Trust Services Principles have to do with criteria dealing with security, availability, processing integrity, confidentiality, and privacy. Those Principles work with SOC 2 and SOC 3 reports.

These reports are restricted in use when you issue a SOC 1 or a SOC 2 report. They are only to be read by the user organizations who rely upon your services, where a SOC 3 can be used in many different applications.

Finally, these 3 types of reports need to be issued by a licensed CPA firm that specializes in this particular industry and the industry that you work in. KirkpatrickPrice is a licensed CPA firm that can help you with all three types of reports – the SOC 1, SOC 2, and SOC 3.