Request a Free Consultation

Overview of SOC Reports

There are three types of SOC reports that address distinct user requirements:

  • SOC 1 (SSAE 16) reports are focused on user entities’ internal control over financial reporting (ICOFR). Note: SOC 1 reports be transition from SSAE 16 to the new SSAE 18 standard effective reports after May 1, 2017. SSAE 18 is the new standard for all attestation engagements.
  • SOC 2 reports apply more broadly to operational controls over security, availability, confidentiality, processing integrity, and/or privacy across a variety of systems.
  • SOC 3 reports are similar to SOC 2 but shorter and allow for more general distribution, such as posting to your website.

There are two types of reporting periods for SOC 2 Reports, including a Type I (point in time) and Type II (specified period of time). Both reports include a description of the overall business and control environment, control objectives, and the supporting control procedures in place to achieve the control objectives.


What is a SOC 1 Report?

The scope of a SOC 1 examination reports on internal control over financial reporting (IFCOR) and serves as a detailed report for customers and their auditors. These reports, prepared in accordance with the Statement on Standards for Attestation Engagements (SSAE) No 16, reports on controls at a service organization, and are most applicable when the service provider performs financial transaction processing or supports transaction processing system.

Examples of organizations that should consider a SOC 1:

  • Cloud ERP service providers
  • Financial services
  • Payroll processing
  • Payment processing
  • Healthcare claims processing
  • Data center colocation

What is a SOC 2 Report?

A SOC 2 examination reports over a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy (Trust Services Principles). The AICPA Assurance Services Executive Committee (ASEC) developed the Trust Services Principles as a framework to evaluate an entity’s controls over information processed by the entity’s system.

A SOC 2 report is applicable to a broad variety of systems and is focused on the following principles:

  • Security: The system is protected against both physical and logical unauthorized access.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the CICA and the AICPA.

The most common principles reported on include the security and availability principles.

Examples of organizations that should consider a SOC 2:

  • Cloud service providers (e.g., SaaS, IaaS, PaaS)
  • Enterprise system housing third party data
  • Data center colocation
  • IT systems management

What is a SOC 3 Report?

Much like the SOC 2 report, the SOC 3 examination reports over a service provider’s system security, availability, processing integrity, confidentiality, and/or privacy (Trust Services Principles).

The difference, however, lies in the details provided in each report. The SOC 3 report is designed for organizations that do not possess the need for or the knowledge necessary to make use of the comprehensive details contained in a SOC 2 report.

Because SOC 3 reports are considered to be general-use reports, there is also an option to distribute the report for marketing purposes, such as posting to your website.

Examples of organizations that should consider a SOC 3:

  • Cloud service providers (e.g., SaaS, IaaS, PaaS)
  • Enterprise system housing third party data
  • Data center colocation
  • IT systems management

Getting Started with a Readiness Review

Before committing to a comprehensive SOC examination, we help our clients with a readiness review. The purpose of a readiness review is to identify control weaknesses that need correction. Deliverables from the readiness assessment include:

  • Preliminary control discovery results that will assist {client_name} in documenting process narratives and crafting the description of controls;
  • Control gaps and areas of improvement; and
  • Prioritized observations and recommendations for remediation.

The advantage of performing a readiness assessment prior to the examination report engagement is that management will have an opportunity to remediate and/or implement controls to meet the selected criteria. Our experience is that companies learn a significant amount about their control environment and the improvements that are needed during this review process.


Our Approach

As use of cloud-enabled services continues to rise, the lines continue to blur across industry verticals and regulations. This poses a challenge to organizations with customers in highly regulated industries to meet the variety of customer risk management programs and questionnaires. We have established a unified compliance approach that leverages the flexibility of SOC reporting. With enhanced SOC reporting, our clients can streamline multiple customer demands by demonstrating compliance against standards such as NIST, FISMA, FedRAMP, ISO 27001, HIPAA, PCI, and many others.

BARR works with each client to support their growth and ever-changing demands from their customers and regulators. We will gain a thorough understanding of your business to make sure you only comply to the requirements that matter to your business, leading to a 70% reduction in customer compliance questionnaires and 75% less time spent on internal resources needed to pass a SOC audit.

Unlike incumbent firms who offer SOC reporting as one of many services, BARR specializes in this field and simplifies the legacy process by reducing manual work through efficient automation. Our professionals have deep expertise and a broad range of experience and we are 100% recommended by customers. We strive to provide high quality as well as affordability, therefore you will save 50% on service fees with BARR compared to other companies.

Request a Free Consultation