Selecting the Right Service Organization Control Report for Outsourced Operations

July 26, 2021 |

Joe from the marketing department could lose his documents if your outsourced infrastructure isn’t secure. That might not seem like the end of the world (unless you’re Joe), but if a bank’s website goes down, the bank loses money.

To provide transparency into these risks, the American Institute of CPAs (AICPA) established System and Organization Controls (SOC) reports.

These reports provide a standardized way to evaluate and report on internal controls at organizations. But understanding which SOC report is best for your business can be complicated if you’re not fully informed.

Increased Outsourcing Calls for Better Security

To understand SOC reports, you need to know why the AICPA helped establish them in the first place. In short, they were born out of the need to better govern the influx of outsourced services to organizations.

One major example involves cloud service providers. Cloud solutions have become widespread because they save time and money. Companies that collect valuable information or process transactions trust their cloud providers to protect that information and maintain a system of integrity. In the case of a breach or issue, however, companies are still liable for such information.

This is where the different types of SOC reports come into play for companies that use third-party service organizations. The types of SOC reports vary in function, usage, and scope. To ensure you’re providing your clients with the information they need, it’s important to choose the right form — but deciding which SOC is needed can be tricky. Here’s a brief overview of each:

SOC 1: This is the most basic report with the most limited use and the most general objectives. Formerly known as SAS 70, briefly known as SSAE 16 (which no longer exists), and often mistakenly referred to as SSAE 18, the now named SOC 1 is relevant to service organizations that perform or support their customers’ financial reporting transactions, such as payment processing, payroll processing, and asset management. If your customers rely on you to support their internal control over financial reporting, stick with SOC 1.

The objectives of the report are general, and they relate to business processing and IT controls. This report is for your company’s auditors and for the management at a service organization. If the service organization doesn’t support financial reporting transactions, beware — this report is commonly misused.

SOC 2: A SOC 2 report may report on any of the trust services criteria of security, availability, processing integrity, confidentiality, or privacy either individually or in combination. Security is the most common to report on with availability and confidentiality not too far behind. SOC 2 is a reporting framework which allows for other frameworks and criteria to be evaluated in the report. Because cloud services providers might have customers with wide ranging industries and needs, additional frameworks are often incorporated into the report such as NIST CST, HITRUST, HIPAA, and many more. The AICPA has mapped common frameworks back to the trust services criteria. We like to think of these additional frameworks as being able to speak the same language as the users of the SOC 2 report. This report can be applied to a range of systems used by customers and companies. And because these reports include controls over specific requirements, such as disaster recovery solutions and security risk monitoring, they’re generally considered a “deeper dive” into the service provider’s systems.

SOC 3: The SOC 3 report is similar to a SOC 2 but shorter. It doesn’t contain all the details or reference operational effectiveness tests like the SOC 2 report does, but it still offers a CPA’s opinion on the system. The benefit of a shorter report is that there are no restrictions on report distribution. This report can be posted on the organization’s website, which can make marketing departments happy and reassure consumers.

Anything related to system uptime, security beyond general IT controls, confidentiality, or privacy will call for SOC 2 or 3 reports. The difference between these two concerns what the reports cover. Remember, SOC 3 includes fewer details about the environment.

SOC for Cybersecurity: SOC for Cybersecurity is a reporting framework over an entire entity’s cybersecurity risk management program and related controls. The purpose of this framework is to demonstrate and communicate due diligence and due care in the entity’s cybersecurity program, and it can have other specific uses such as management reporting to a board or audit committee. 

There are a few key differences between SOC for Cybersecurity and SOC 2 and 3 reports. While a SOC 2 examination reports on a variety of the trust services criteria, including security, availability, processing integrity, confidentiality, and privacy for a broad range of users, a SOC for Cybersecurity report is more specific in providing organizations with objective assurance that the appropriate systems, processes, and controls exist to manage a cyberattack.

SOC for Supply Chain: This is the most recently released SOC report, and is used to evaluate supply chain risk management efforts for companies involved in manufacturing, production, and distribution. Because of the interdependent nature of the supply chain, these risks and objectives are applicable across industries. 

SOC reports can be pretty complicated. If you’re interested in getting more information, including which professional standards govern each type of audit, visit the AICPA’s page on SOCs or contact us here at BARR. 

As the use of outsourced services continues to rise, people will want more assurance that the information they’re handing over is in safe hands. SOC reporting, in particular, can be a daunting task for many organizations. But by doing your due diligence and selecting the correct report, you’ll protect your organization and your clients (including Joe) from risk.

This post was originally published on

Let's Talk