SOC 2 & SOC 3 Reports

Confirming the Quality of Your Data Security

Check out the full series on SOC reporting on the Barnes Dennig YouTube channel here.

If you are a technology or cloud service provider, you have access to a lot of confidential customer data. People who use your services want to know that you are taking the necessary precautions to protect the data they entrust to your service.

A SOC 2 or SOC 3 report will provide your customers with verification that your control environment is designed and operating to protect them. Both reports provide assurance on compliance and operations—letting them know that your controls are effective for delivering your service to your customers. Built on the AICPA’s Trust Service Principles, these audits focus on controls relevant to:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

SOC 2 and SOC 3 reports are similar, except that the SOC 3 report is a public document largely used for marketing.

Just like SOC 1, there are two types of reports available:

  • SOC 2, Type I – A look at whether controls are properly designed, in place and documented as of a certain point in time.
  • SOC2, Type II (and SOC 3) – A look at whether controls are properly designed, in place and documented across a period of time.

A SOC 2 report is generally restricted. This means that usage is limited to people that have knowledge of the service organization’s services and IT environment. On the other hand, a SOC 3 report can be shared with the public. In both cases the service organization may place the SOC seal in their marketing materials.

SOC 2 and SOC 3 Experience: During a typical SOC 2 or SOC 3 examination, we’ll look at physical security, internet and infrastructure services, security administration, application security, controls over software changes, IT operations, systems and programming, general control environment and business continuity planning. Our SOC team consists of assurance, IT and internal control professionals who have performed examinations for a variety of businesses large and small.

If you are looking for help with your SOC 2 or SOC 3 reporting requirements, contact us We can help you understand what report you need and how to use it to your organization’s benefit. For more information on SOC reporting, read our SOC FAQs.