Systems and Organization Controls (SOC) 2® examinations, and on occasion SOC 3® examinations—also known as SOC 2 and 3 audits—have become an expected standard for service organizations that interact with, or operate as, vendors or service providers that store, process, or maintain client data.

Chief information security officers (CISOs), CFOs, and auditors rely on SOC 2 reports to gain comfort and valuable insight over the internal controls of critical vendors and service providers.

Regardless of your company’s line of services—from software as a service (SaaS) to intelligent autonomous systems (IAS), you likely need an annual SOC 2 or SOC 3 report if you interact with customer data or are a third-party provider.

Do You Need a SOC 2­ Report?

Most technology companies need SOC 2 examinations because they are third-party providers that store, process, or maintain customer data.

Increased security concerns rising proportionally as the IT industry promotes new products and services in the cloud continue to drive growth in the number of SOC 2 examinations performed. A SOC 2 report is now considered a base requirement for technology service providers.

Trust Services Categories

SOC 2 examinations emphasize system reliability by measuring the effectiveness of internal controls related to five trust services categories:

• Security
• Availability
• Confidentiality
• Processing integrity
• Privacy

Trust service categories can apply to the below system components.

SOC 2 examinations are often requested for:

• SaaS, infrastructure as a service (IaaS), and platform as a service (PaaS)
• Cloud-based providers
• Data centers and colocation facilities
• IT-managed services companies
• IT-hosted services
• Business intelligence software

Types of SOC 2

Similar to a SOC 1 report, there are two types within SOC 2:

• Type 1. Assesses management’s description of a service provider’s system and the suitability of the design of controls.
• Type 2. Assesses management’s description of a service provider’s system and the suitability of the design and operating effectiveness of controls.

Distribution

Like SOC 1 examination reports, SOC 2 examination reports can be distributed only to management; current and prospective customers, or user entities; practitioners providing services to such user entities; and regulators.

SOC 3

SOC 3 reports are essentially a smaller-scale SOC 2 report and used primarily for public distribution.

While demand is lower for these reports, the public distribution element can be compelling for companies as the use of a SOC 3 report isn’t restricted.

SOC 3 covers the same subject matter as a SOC 2 report, but with some key differences:

• Designed for users who want assurance on the controls at a service organization but don’t need or possess the knowledge necessary to make effective use of a SOC 2 report, resulting in a less detailed description of the system
• Doesn’t include a description of the service auditor’s tests of controls and results

Companies generally must complete a SOC 2 examination before requesting a SOC 3 report, but the SOC 3 report can be issued concurrently with the SOC 2 report.

How the SOC Process Works

Once a preliminary readiness assessment is complete, a timeline can be developed for the engagement based on the assessment results.

Our professionals provide SOC audits for a range of client types including SaaS, Iaas, and PaaS companies, business intelligence providers, colocation data centers, financial institutions and service companies, third-party administrators, benefits administrators, and more.

Companies can register for an American Institute of Certified Public Accountant (AICPA) SOC seal for public distribution.