fbpx
Contact Us
 
Contact Us

Insights

< Back to Thought Leadership

FAQ: System and Organization Controls (SOC) Reports

FAQ: System and Organization Controls (SOC) Reports
April 15, 2019

What kinds of companies need SOC reports?

Organizations that provide the following types of services for customers/clients may benefit from a SOC examination and report to demonstrate to customers/clients the strength of their internal controls:

  • Software as a Service
  • Outsourced Transaction Processors (e.g., Payroll Processors, TPA’s)
  • Professional Services with Access to Sensitive Client Data (e.g, Accounting Firms, Law Firms, Comp & Benefit Consultants, etc.)
  • Outsourced Data Centers/Co-Location Facilities
  • Resellers of Credit Reporting Agencies (Equifax, TranUnion, Experian, etc.)
  • Outsourced Security Operations Centers
  • Business Associates of Covered Entities (Healthcare)

What are SOC Reports?

SOC reports help demonstrate:

  • the control activities that your organization has implemented over the processing of financial transactions or data, or
  • the actions that your organization has taken to address the security, availability, processing integrity, confidentiality, and/or privacy concerns clients have related to their data and information.

They can come in three different forms: SOC 1, 2, or 3.

What is a SOC 1 Report?

The purpose of a SOC 1 report is to communicate a service organization’s controls relevant to a customer’s internal controls over financial reporting. SOC 1 reports may help demonstrate compliance with various regulations, such as Sarbanes-Oxley or Model Audit Rule.

What is a SOC 2 Report?

The purpose of a SOC 2 report is to help customers understand controls in place related to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 reports may help demonstrate compliance with regulations such as PCI, HIPAA, GLB, FIDICA, etc. Distribution of these reports is restricted.

What is a SOC 3 Report?

The purpose of a SOC 3 report is to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. The SOC 3 is a general use report that contains less detail than a SOC 2, but its distribution is not restricted.

What are the attestation standards related to SOC reports?

All SOC reports are completed within the AICPA’s Auditing Standards Board (ASB) Statements on Standards for Attestation Engagements (SSAE), SSAE 18 Attestation Standards: Clarification and Recodification.

I’ve seen SSAE 16 and AT 101 listed on other sites. What are those?

SSAE 16 is the old standard for SOC 1 engagements and AT 101 is the old standard for SOC 2 and SOC 3 engagements. SSEA 18 was released in April of 2016.

What is the difference between Type 1 and Type 2 reports?

Type 1 attests to management’s system and suitability of the design of controls as of a specified date, ie: whether the controls were designed properly and implemented as of a point in time.

Type 2 attests to management’s system and suitability of the design of controls over a specified period of time, rather than one date, ie: whether the controls were designed properly, implemented and operating effectively over a period of time.

What kind of SOC report do I need?

We created a quick quiz to determine which SOC report might best serve your organization’s needs.

Have more questions or want to talk?

If you have more questions or would like to begin a discussion regarding a SOC Report for your organization, please contact Tom Skoog at tskoog@blueandco.com or Jennifer Miloszewski at jmiloszewski@blueandco.com.

Resources View More Resources

Coronavirus Resources & Information
2019 Year-End Tax Planning Guide
Implementation Guide: ASU 2016-14 Presentation of Financial Statements for Not-for-Profit Entities

Recent Articles View All Thought Leadership

AI preventing cyberattack

How AI Can Help Protect Not-For-Profits From Cyberattacks

April 21, 2025

By Joel Barnett, Technical Account Executive at Blue Pioneer Consulting and Holly Fields, CPA, Senior Manager at Blue & Co. Not-for-profit organizations handle sensitive data every day, which make them […]

Learn More

How Cryptocurrency Donations Can Transform Not-For-Profit Fundraising

April 02, 2025

By Doug Sandor, Senior Accountant and Chad Nieter, CPA, Senior Manager at Blue & Co. Cryptocurrency, a digital asset powered by cryptography for enhanced security, has revolutionized modern finance and […]

Learn More
inventory valuation

Navigating Inventory Valuation Amid Market Challenges: Key Insights for Distilleries

March 21, 2025

By Philip Blakely, CPA, Manager at Blue & Co. Inventory Valuation and Impacts of Idle Capacity The beverage industry is navigating through challenging times, with increased aging barrels in the […]

Learn More
Subscribe to our newsletters.

Facebook

Our Post Acute Care Team is thrilled to be attending the LeadingAge Indiana 2025 Spring Conference on May 1-2 in Indianapolis, IN!Visit Landon Hackett, Liz Barlow, Missy Deeg, and Kayla May at Booth 18. The team is looking forward to connecting with industry leaders, gaining new insights, and sharing their experiences in transforming post-acute care. ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Building Relationships at Blue & Co.: Employees and ClientsBuilding relationships at Blue & Co. is the cornerstone of our success. We strive for our employees and clients to feel a sense of belonging and mutual growth. Join us as we celebrate the bonds that make Blue a place where people thrive both personally and professionally. ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Quick Links

AICPA SOC Award Banner for Service Organizations | Blue Button
Blue & Co. Logo

Copyright © 2025, Blue & Co., LLC.
All Rights Reserved.

See All Locations