Article
SOC FAQ
May 9, 2023 · Authored by Andrew Wittig, Patrick Hottel
As organizations face intensified scrutiny over their internal controls, risk management practices must evolve to provide an increased degree of assurance. The American Institute of CPAs (AICPA) developed System and Organization Controls (SOC) reporting as a valuable tool for organizations to demonstrate to their customers and other key stakeholders that their controls are working.
Explore the FAQs below, or connect with a SOC professional to tell us more about your reporting needs.
The basics
SOC 1®, SOC 2®, SOC 3®, SOC for Cybersecurity and SOC for Supply Chain.
A Type 1 SOC report addresses the design of controls as of a point in time. A Type 2 SOC report addresses the operating effectiveness of controls over a period of time. Type 1 reports provide less comfort to the intended audience of the report and are uncommon.
Note: The Type 1 or Type 2 concept is applicable to all of the SOC reports (i.e., SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, SOC for Supply Chain)
The SOC 2 and SOC 3 both address the Trust Services Criteria. The SOC 2 is a detailed report intended for limited distribution (such as your customers and their auditors). A SOC 3 contains less detail and is generally intended for general distribution.
SOC 1 Type 2 and SOC 2 Type 2 are the two most common reports.
The need for a SOC report is primarily driven by demand from your customers. However, in some industries they may be required by regulation or compliance requirements.
