There are three types of service organization control (SOC) reports, which are referred to as SOC 1, SOC 2, and SOC 3 reports.
SOC 1 Reports
An SOC 1 report, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, is intended to meet the needs of entities (user entities) that use service organizations and their auditors, who are responsible for understanding internal controls over financial reporting at service organizations.
In a Type 2 engagement, the service auditor performs tests of the operating effectiveness of the controls at the service organization, in addition to procedures performed in the Type 1 engagement. The service auditor’s Type 2 report contains the two opinions about the description and suitability of the design of controls that are provided in a Type 1 report, plus an additional opinion about the operating effectiveness of controls throughout the period.
In a Type 1 engagement, the service auditor also performs procedures to obtain sufficient available evidence to obtain reasonable assurance about the suitability of the design of controls. In making that determination, the service auditor evaluates whether controls have been designed to address risks threatening the achievement of control objectives and whether those controls, if operating as described, provide reasonable assurance that those risks would not prevent achievement of control objectives.
An SOC 3 report, Trust Services Report for Service Organizations, is similar to an SOC 2 report except that the SOC 3 report is intended for wide distribution to current or potential users of the service organization.
SOC 2 Reports
Service organizations provide a number of other IT services for entities that may not relate to internal controls over financial reporting. For example, a university that outsources the processing of student applications for admission will likely be subject to laws requiring the university to maintain the privacy of the information included in the application. The university is concerned about the accuracy of that information and is responsible for maintaining the privacy of the information including that residing at the service organization. Management of the university is also concerned about complying with laws or regulations related to processing integrity and privacy and may desire assurance about the service organization’s controls relevant to processing integrity and privacy that affect the users’ information.
An SOC 2 report, Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. For example, customers of a service organization may seek an SOC 2 report as part of their vendor risk management considerations.