SOC Reports

A SOC 1 report is appropriate when a company has outsourced a key business process to an external service provider. This report focuses on internal controls around transaction processing at the service provider.

A SOC 2 report is perfect for when a business needs to understand the cybersecurity and technology controls in place at a service provider. This report always has cybersecurity at its core but also can include other control areas like privacy or availability.

A SOC 3 report is a smaller, condensed version of a SOC 2. This report is used to show publicly for transparency and marketing.

A SOC for Cybersecurity report verifies a company’s cybersecurity strategy to ensure that they are taking the measures needed to protect themselves against cyber threats.

Type I reports can be performed for both SOC 1 and SOC 2 reports. Not as desirable as a Type II report, a Type I report indicates the design of the controls is adequate, but the specific controls are not actually tested. A Type I report is issued as of a specific date.

Type II reports can be performed for both SOC 1 and SOC 2 reports. A Type II report not only indicates the design of the controls is adequate, but the specific controls are tested by the independent CPA firm to verify they are operating effectively.

Before undergoing a full SOC report, a SOC Readiness Assessment can help you understand your controls and benchmarking to get ready for a successful SOC report.

An Agreed Upon Procedures engagement reports findings based on specific procedures agreed upon beforehand. This report essentially tests if your company does what it says it does.