Service Organization Control (SOC) Reports

Security teams analyzing the security procedures must be aware of the output and reporting capabilities for the data. Any information that is of important consideration must be reported to the management teams immediately so that they become alert of any possible risk or harm. The details given to the management teams might go through different levels depending on their roles and responsibilities.

The type of auditing being performed can also determine the type of reports that must be used. For example, American Statement on Standards for Attestation Engagements (SSAEs) 16 audits require a Service Organization Control (SOC) report.

There are four types of SOC reports:

SOC 1 Type 1

This report outlines the findings of an audit, as well as the fullness and accuracy of the documented controls, systems and facilities. Type 1 reports are focused on service organization’s systems. It also includes reports about the suitability of the control to achieve the objective.

SOC 1 Type 2

This report includes the Type 1 report, along with information about the effectiveness of the procedures and controls in place for the near future. Type 2 reports are focused on service organization’s systems including reports about the suitability of the control operating effectively to meet its objective.

SOC 2

This report includes the testing results of an audit. These reports can play an important role in:

• Oversight of the organization
• Vendor management programs
• Internal corporate governance and risk management processes
• Regulatory oversight

SOC 3

This report provides general audit results with a data center certification level. These reports are intended for users or clients requiring the assurance of control security, integrity & confidentiality of processes and availability. SOC3 reports can be distributed or published freely.