Does your organization provide services that are critical to another organization’s success? Does your organization process or store information for other organizations? If you can answer “yes” to either of these questions, it is more than likely that you need a Service Organization Control report, or SOC for short! As the nature of information technology has changed the way that we do business, the need for a third party auditor to review the way that your organization has grown and changed with it.

While it may seem daunting at first, we will help you break down what a SOC report is, and which type might best fit your company or situation. There are three different flavors of SOC reports that an organization can choose: SOC 1, SOC 2, or SOC 3.

SOC 1

A SOC 1 report details controls which are relevant to the user organization’s financial reporting. If your company processes information that affects your customer’s financial statements then this report would be a good choice for your organization. Examples of organizations that might consider a SOC 1 report include: Healthcare claims processing, Payroll processing, Payment processing, workers compensation claims processing, etc. Because SOC 1 contains information about your service’s controls, it is only intended to be reviewed by your (business associates/clients).

SOC 2

A SOC 2 report details controls that are not related to the user organization’s financial reporting but instead covers: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports, therefore, are much broader in scope than SOC 1 reports. SOC 2 reports would be beneficial for an organization where areas of concern include security, availability, processing integrity, confidentiality, and privacy. Examples of companies that may consider a SOC 2 report include: Data Centers, IT systems management, Cloud services, etc. Just like SOC 1 reports, these reports are intended just for your clients.

SOC 3

A SOC 3 report is very similar to a SOC 2 report. A SOC 3 report, just like a SOC 2, supports controls related to security, availability, processing integrity, confidentiality, and privacy. The main difference between the two are who they are intended for and how detailed the report is. This report is a little less detailed than a normal SOC 2 report and is normally available on the service organization’s website. Unlike a SOC 1 and SOC 2, a SOC 3 doesn’t contain any (specific/proprietary) details about your organization and therefore can be safely distributed to anyone.

Contact Us

If you have any questions about obtaining a SOC report or how this may impact your or your company, reach out to us online by clicking here, or call 513-241-8313 to speak with a member of the Barnes Dennig team.

About the Author:

Liz is a Service Organization Controls (SOC) and IT Controls Specialist. She works closely with clients to ensure that controls are in place to prevent fraud and combat cybercrime. Liz has expertise in identifying specific control solutions for all size organizations from small not for profit organizations to large public corporations. Liz graduated from the University of the Cumberlands with Bachelor’s Degrees in Accounting, Information Systems, and Business Administration. She also holds a Master’s Degree in Accounting from Northern Kentucky University.