What are SOC Reports?

Service Organization Control (SOC) reports are internal control audit reports issued by a CPA on the services provided by a service organization that performs specific outsourced services to a third party user entity.  Service organizations include payroll processors, medical claims processors, credit card processors, data center providers or any other organization that provides a service to a third party user entity that will be relied upon by the user entity.   A SOC report provides valuable information that users need to assess and address the risks associated with an outsourced service. These reports may be required by a service organization’s auditors, their third party user’s auditors, or by a key vendor or customer.

What are the three variations of SOC reports and who are the users of each?

SOC 1 Reports

A SOC 1 report is a report on controls at a service organization that is relevant to user entities’ internal control over financial reporting.  A SOC 1 Report is also referred to as a SSAE 16 (Statements on Standards for Attestation Engagements No. 16) report and previously was referred to as a SAS 70 report.  A SOC 1 report focuses on the financial reporting risks and controls specified by the service provider. 

The users of a SOC 1 report are the entities that use the service organization’s services and their auditors.

SOC 2 Reports

SOC 2 reports address controls relevant to operations and compliance, specifically related to an organization’s information systems relevant to security, availability, processing, integrity, confidentiality or privacy. 

 A SOC 2 report is a detailed report for management of the service organization, user entities and their auditors, regulators and specified parties that want an understanding of the effectiveness of security, availability, processing, integrity, confidentiality or privacy information technology operational controls within an organization.

SOC 3 Reports

A SOC 3 report is similar to a SOC 2 report but does not include detail testing of controls and is intended to be used as marketing material.  A SOC 3 report is an abridged SOC 2 report that can be more generally distributed and is intended for any users with the need for assurance in the security, availability, processing, integrity, confidentiality or privacy of a service organization’s system.  An AICPA SOC 3 seal may be displayed on the website of a service organization that links to the SOC 3 report.

There are two types of SOC reports.  What is the difference between each type?

A Type 1 report tests the design effectiveness of the service organizations defined controls as of a specific date, whereas a Type 2 report tests the operating effectiveness of those controls over a particular  period, generally a year.  Organizations that need Type 2 SOC 1 reports generally have regular audits performed annually. 

What types of SOC audits does HCVT perform?

HCVT performs SOC 1 audits, both Type 1 and Type 2.

Our company needs a SOC 1 report.  Where do we start?

For organizations that may need a SOC 1 report, it is critical to have a readiness assessment performed on your business and process controls.  We highly recommend for you to partner with a consultant to conduct a readiness assessment.  This consultant will assist you in identifying key controls that will be tested in your SOC engagement.  The consultant will also do a “mock audit” to ensure that you will be ready for your SOC 1 audit and that there will be no surprises.  Any areas where weaknesses may be present can be addressed before the formal audit starts. 

Even for companies that have had a SOC 1 audit previously, it is a good idea to have a readiness assessment performed as new high-risk areas may have surfaced since the last SOC 1 audit was performed.

We’ve completed our readiness assessment.  What’s next?

Once the readiness assessment is performed, we recommend that you commence with HCVT performing a Type 1 SOC 1 audit initially.  Once that process is completed, we can perform a Type 2 audit at a subsequent point in time, which is generally 6-9 months later.  For companies that have never had a SOC 1 audit, we strongly recommend having a Type 1 audit performed first. In the Type 1 audit, if controls are found not to have been designed properly, the controls will need to be remediated and another Type 1 audit will need to be performed before an unqualified Type 2 audit report can be issued.


At HCVT, our SOC 1 engagements assist the service organization with reliable methods to provide assurance over their control environment.  Our approach to performing SOC engagements begins with gaining an understanding of the service organization’s operations, risks, and internal control environment.  We leverage our industry knowledge in tailoring audit plans of the controls specific to the needs of the end user and prepare a comprehensive report that meets the requirements of the user entities.  We also collaborate with management throughout the process to avoid surprises to help ensure that your report will be tailored to the needs of your specific end users.

Main Menu