SOC (Service Organization Control) Reports

SOC 1, 2 & 3

SOC Reports ensure an organization is following specific best practices before being outsourced for a certain business function.

   Is Your Organization SOC Compliant?

A Service Organization Control report (SOC 1, 2, or 3) is a report, created and validated by third-party auditors, meant to provide independent assurance and to help potential customers, partners, or vendors understand any potential risks involved when working with an outsourced organization. Whether entering into a new partnership or reviewing your current inventory of business relationships, this unbiased report identifies potential inconsistencies and reaffirms that you’re paying attention to how policies and procedures are followed. No decision to work with an outside company is ever risk-proof, but SOC reports will provide unbaised context needed when determining whether or not to work with an organization. Depending on the information needed and the types of organizations involved, there 3 versions of SOC reports.

Components of SOC Reports:
Each SOC Report (regardless if 1, 2 or 3), contains the auditor’s opinion of whether the organization’s presentations of controls is correctly and fairly presented. If a report is deemed unqualified, it means the auditor found the company’s representation of their business and security decisions is accurate. If a report is deemed qualified, it denotes that the auditor found substantial discrepancies between the company’s statement and reality. An opinion is considered adverse if multiple controls failed, and an entire objective has not been met.

3 Types of SOC Reports

Depending on the type of information requested and organization involved, there are varying versions of SOC reports:

SOC 1: Reports on Controls that have an immediate or downstream effect on a user's entity's financial statements. Based on the SSAE 16 reporting standard.

Type I:
Shows how well internal controls are designed to prevent mistakes regarding financial transaction/statement data.
Testing is done at one point in time; does not test the operating effectiveness of the control set.

Type II:
Tests the operating effectiveness of the internal controls (business process and IT general controls); designed to mitigate the risk of a financial inaccuracy of the user entity.
Testing is conducted over a period of time, and a sampling methodology of the user entity.

SOC 2: Reports on controls related to security, availability, processing integrity, confidentiality and privacy. Security control tests are mandatory, while the rest are potional. Based on the AT 101 reporting standard.

Type I:
Test the design of these controls
Testing is done at one point in time; does not test the operating effectiveness of the control set.

Type II:
Tests the operating effectiveness of these controls; designed to mitigate the risk of mishandling customer data.
Testing is conducted over a period of time, and sampling methodology is used for an accurate portrayal of operating effectiveness.

SOC 3: Reports same subject matter as SOC 2 engagements; however, use of these reports is not restricted and can be posted on a website under a seal. To allow for this, the SOC 3 report is typically dedacted from its SOC 2 counterpart.
  • Provides high-level summary for general customers without compromising or revealing details on the internal controls.
  • Typically only utilized by organizations that have conducted many SOC reports in the past and have a thorough and robust control environment.

Learn about Required SOC Security Report Standards

Contact an MDS today to receive expert guidance on how to get your security program up and running.

Our Pledge:

Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.

Contacts: |

NYC Headquarters:
307 West 38th Street, Suite 1801
New York, NY 10018
Tel: 646-744-1000

Miami Office:
Tel: 786-899-2980
San Juan Office: Tel: 646-460-6229