Understanding Different Vendor System and Organization Controls (SOC) Reports

SOC reports are a critical part of managing risk and conducting thorough due diligence. They tell you quite a bit about a vendor’s internal control environment and how well – or not well – that environment is operating. When it comes to reducing vendor risk, reviewing vendor SOC reports is non-negotiable. But, with several varieties of SOC reports out there, how do you know which one you need to use and when?

To help you gain a better understanding around these kinds of reports, we’ll break down each category and type of SOC report.

SOC 1 Report: What You Need to Know

A SOC 1 is designed to review a vendor’s internal controls as they relate to financial reporting. SOC 1 audit reports are best for your non-information system-based products and services.

There are two types of SOC 1 reports:

1. Type I Report: Audit controls as of a point in time (single date). Type I reports, often times, don’t test control effectiveness, but only confirm that control activities exist.

2. Type II Report: Covers controls that were in place and operating for a period of time. A Type II report includes a description of any significant changes. Type II assessments are more rigorous, and controls are reviewed for operational effectiveness over a period of time.

When to Use a SOC 1 Report

Request a SOC 1 when the product doesn’t have:

• Insurance products
• Internal accounting software
• Back office administrative products

A SOC 1 report provides information about controls at a service organization that may be relevant to a user entity’s (meaning you, as the organization using the vendor) internal control over financial reporting. This report helps user entities to determine if the control objectives are operating effectively.

SOC 2 Report: What You Need to Know

A SOC 2 report is an examination on the vendor’s controls over one or more of the following 5 Trust Services Criteria (TSC):

1. Security: The system is protected against unauthorized access, use or modification.

2. Availability: The system is available for operation and use as committed or agreed.

3. Processing Integrity: System processing is complete, valid, accurate, timely and authorized.

4. Confidentiality: Information is designated as confidential and is protected as committed or agreed.

5. Privacy: The system’s collection, use, retention, disclosure and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

A SOC 2 is all about protecting private information (or in some cases, funds transfers) and making sure that the controls in place adequately protect information.

Additionally, a SOC 2 report may cover one or all of these TSCs, which determine the scope of what controls to monitor and what changes to make with the products or services offered. For example, if you’re reviewing a data center or cloud service provider, at minimum, you should be looking at Availability and Security TSCs.

There are three types of SOC 2 reports, Type I and Type II, as well as a SOC 2 Plus. Although rarer, a SOC 2 plus provides additional insight into an organization's control environment and is created when an additional control set is assessed along with the chosen TSC. The AICPA has worked with the Cloud Security Alliance (CSA) and HITRUST to provide assistance to organizations and independent assessors to prepare and assess an organization's internal control environment.

When to Use a SOC 2

If you want a measure of how your vendor provides a secure, available, confidential and private solution, ask for a copy of their independently audited SOC 2 Report. A SOC 2 report is an audit (and report) that defines a consistent set of criteria specifically around the product/services that an organization provides (to you). However, keep in mind as you review that the controls are created by the vendor and tested by an auditor or CPA firm.

Examples may include: 

• Internet banking
• Mobile banking
• Bill payment
• Any vendor that stores or accesses
• Consumer private information

SOC 3 Report: What You Need to Know

A SOC 3 is a high-level summary of the SOC 2 audit that comes with a seal of approval a vendor can publicly share.

While the SOC 3 has some of the components of the SOC 2, it’s not as comprehensive as it’s designed to be made available publicly without the requirement of an NDA.

Therefore, keep in mind the following:

• It's less detailed
• It's less technical
• It won't contain the same level of otherwise critical information (to you) that a SOC 2 contains

When to Use a SOC 3

Request and review a SOC 3 report when you’re doing initial early upfront due diligence of a vendor until your organization has determined if they are a serious prospect. It’s also a good tool to use in vendor vetting, but should never be used in place of a SOC 1 or SOC 2. 

SOC Reports for Cybersecurity: What You Need to Know

SOC for cybersecurity is an examination performed by CPAs on an organization’s cybersecurity risk management program. This examination encompasses two distinct, yet interrelated matters:

• The description of the overall cybersecurity risk management program
• The effectiveness of program controls to achieve the cybersecurity objectives

After the examination, typically a report is created. This cybersecurity risk management exam report includes three key components: 

1. Manager’s Description. Management will prepare a description of an organization’s cybersecurity risk management program, which should include: 

• Key cybersecurity policies and procedures
• How the organization manages cybersecurity risks
• How it determines which systems and information are sensitive. 

The goal is to provide a holistic understanding of the organization’s cybersecurity risk management program: 

2. Manager’s Assertion. Management must assert whether they believe the cybersecurity risk management program controls are effective, meet cybersecurity objectives, and if the description sufficiently meets criteria.
   
   
3. Practitioner (CPA) Report. At the end of the examination, the CPA will provide an opinion on the management’s description and comment if the controls in place are effective and satisfy the cybersecurity objectives.

When to Use a SOC for Cybersecurity 

Use the SOC for cybersecurity when interested in validating the vendor's cybersecurity risk management program is designed and operating effectively. However, keep in mind, it's voluntary, so a vendor doesn't need to have or provide this document to you. 

SOC for Supply Chain: What You Need to Know

The SOC for Supply Chain overlaps with the SOC 2 in ways, as they both include one, some or all of the TSCs. Like SOC for Cybersecurity, if you request the SOC for Supply Chain, review the following: 

• Management’s Description
• Management’s Assertion
• Practitioner’s (CPA) Report 

When to Use a SOC for Supply Chain

You’d request a SOC for Supply Chain report when you want to know how the larger organizations and middle market organizations are evaluating and monitoring their supply chain risks.

In the end, a SOC report is an invaluable report to request to verify your vendor has sufficient controls in place and that the controls are operating effectively. Analyzing a SOC report – whether it be a SOC 1, 2, 3, SOC for Cybersecurity or SOC for Supply Chain – assists greatly with ongoing monitoring and ensuring compliance with regulatory expectations.

Dive deeper into how to analyze and review your vendor's SOC reports. Check out the interactive guide.