fbpx
Contact Us
 
Contact Us

Insights

< Back to Thought Leadership

FAQ: System and Organization Controls (SOC) Reports

FAQ: System and Organization Controls (SOC) Reports
April 15, 2019

What kinds of companies need SOC reports?

Organizations that provide the following types of services for customers/clients may benefit from a SOC examination and report to demonstrate to customers/clients the strength of their internal controls:

  • Software as a Service
  • Outsourced Transaction Processors (e.g., Payroll Processors, TPA’s)
  • Professional Services with Access to Sensitive Client Data (e.g, Accounting Firms, Law Firms, Comp & Benefit Consultants, etc.)
  • Outsourced Data Centers/Co-Location Facilities
  • Resellers of Credit Reporting Agencies (Equifax, TranUnion, Experian, etc.)
  • Outsourced Security Operations Centers
  • Business Associates of Covered Entities (Healthcare)

What are SOC Reports?

SOC reports help demonstrate:

  • the control activities that your organization has implemented over the processing of financial transactions or data, or
  • the actions that your organization has taken to address the security, availability, processing integrity, confidentiality, and/or privacy concerns clients have related to their data and information.

They can come in three different forms: SOC 1, 2, or 3.

What is a SOC 1 Report?

The purpose of a SOC 1 report is to communicate a service organization’s controls relevant to a customer’s internal controls over financial reporting. SOC 1 reports may help demonstrate compliance with various regulations, such as Sarbanes-Oxley or Model Audit Rule.

What is a SOC 2 Report?

The purpose of a SOC 2 report is to help customers understand controls in place related to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 reports may help demonstrate compliance with regulations such as PCI, HIPAA, GLB, FIDICA, etc. Distribution of these reports is restricted.

What is a SOC 3 Report?

The purpose of a SOC 3 report is to inform any interested parties about the operating effectiveness of internal controls at the service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy, in connection with a SOC 2 engagement. The SOC 3 is a general use report that contains less detail than a SOC 2, but its distribution is not restricted.

What are the attestation standards related to SOC reports?

All SOC reports are completed within the AICPA’s Auditing Standards Board (ASB) Statements on Standards for Attestation Engagements (SSAE), SSAE 18 Attestation Standards: Clarification and Recodification.

I’ve seen SSAE 16 and AT 101 listed on other sites. What are those?

SSAE 16 is the old standard for SOC 1 engagements and AT 101 is the old standard for SOC 2 and SOC 3 engagements. SSEA 18 was released in April of 2016.

What is the difference between Type 1 and Type 2 reports?

Type 1 attests to management’s system and suitability of the design of controls as of a specified date, ie: whether the controls were designed properly and implemented as of a point in time.

Type 2 attests to management’s system and suitability of the design of controls over a specified period of time, rather than one date, ie: whether the controls were designed properly, implemented and operating effectively over a period of time.

What kind of SOC report do I need?

We created a quick quiz to determine which SOC report might best serve your organization’s needs.

Have more questions or want to talk?

If you have more questions or would like to begin a discussion regarding a SOC Report for your organization, please contact Tom Skoog at tskoog@blueandco.com or Jennifer Miloszewski at jmiloszewski@blueandco.com.

Share this article

Recent Articles View All Thought Leadership

SBA's E2G Manufacturing Program

SBA’s E2G Program Highlights Manufacturing’s Real Growth Constraint: Talent

May 19, 2026

By Jordan Miller, CPA, Senior Manager at Blue & Co. If you spend time talking with manufacturers right now, especially leaders in small to mid-sized operations, you start to hear […]

Learn More
Preserving 340B Eligibility: Why Hospitals Need a Proactive DSH Strategy

Proactive DSH Strategy for Preserving 340B Eligibility

May 14, 2026

For hospitals that depend on 340B savings, optimizing the Disproportionate Share Hospital (DSH) percentage that drives 340B eligibility should be treated as a financial and operational priority. In simple terms, […]

Learn More
The Optimal Retirement Age for Dentists: A Financial Perspective

The Optimal Retirement Age for Dentists: A Financial Perspective

May 06, 2026

As of 2025, there were approximately 200,000 dentists practicing in the United States. Of these, nearly 35% of them were 55 years or older. In 2023, the average retirement age […]

Learn More
Subscribe to our newsletters.

Facebook

Preparing for the CPA exam can feel overwhelming—but the right guidance can make all the difference.At Blue & Co., we’re committed to supporting our people through every stage of their careers, including one of the most important milestones in accounting. From knowing what to expect to building a study plan that works, having the right tools and support system matters.Whether you’re just starting your CPA journey or getting ready to sit for your next section, this is a great place to begin.Read our tips on what to expect and how to prepare:hubs.la/Q04czgC50 ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Quick Links

AICPA SOC Award Banner for Service Organizations | Blue Button
Blue & Co. Logo

Copyright © 2026, Blue & Co., LLC.
All Rights Reserved.

See All Locations