Skip to main content

Skillber v1.0 is here!

Learn more

SOC Reports

Checking access...

System and Organization Controls (SOC) reports are audit reports issued by CPA firms assessing controls at service organisations. They are the most widely accepted form of vendor security assessment.

SOC Report Types

TypeFocusUsersContains
SOC 1Controls over financial reportingUser entities’ auditors (SOX)Control description, testing results
SOC 2Controls over security, availability, processing integrity, confidentiality, privacyCustomers, vendors, regulatorsControl description, testing results, trust services criteria
SOC 3General use report (public)General public, marketingSummary of SOC 2 without detailed testing

Type I vs Type II

FactorType IType II
What it assessesDesign of controlsDesign AND operating effectiveness
Time periodPoint in timePeriod of time (6-12 months)
EvidenceDescriptions, interviewsDescriptions + testing over time
ValueLower (checks for existence)Higher (checks for effectiveness)
Typical useInitial audit, new serviceOngoing vendor assessment

SOC 2 Trust Service Criteria

The five TSC categories are defined by AICPA (American Institute of CPAs):

CategoryDescriptionExample Control
SecurityProtected against unauthorised accessFirewalls, IAM, MFA, encryption, intrusion detection
AvailabilityAvailable for operation and useRedundancy, failover, disaster recovery, uptime monitoring
Processing IntegrityProcessing is complete, accurate, timelyInput validation, reconciliation, error handling
ConfidentialityConfidential information is protectedData classification, access controls, encryption
PrivacyPersonal information is handled in accordance with commitmentsConsent, notice, collection limits, data retention

Reading a SOC 2 Report

A SOC 2 report has four main sections:

Section 1: Independent Service Auditor's Report (opinion)
→ "In our opinion, the controls were fairly described and operated effectively"
Section 2: Management's Assertion
→ Management states they designed and implemented controls effectively
Section 3: Description of the System
→ Infrastructure, software, data, people, procedures, monitoring
Section 4: Testing of Controls (Type II)
| Control | Description | Tested By | Result |
|---------|-------------|-----------|--------|
| Access reviews | Quarterly review of privileged access | CPA firm | No exceptions |
| Encryption | AES-256 enabled on all storage | CPA firm | No exceptions |
| Patching | Critical patches within 48 hours | CPA firm | 1 exception |

Red Flags in SOC Reports

FindingImplication
Exceptions in testingControls did not operate effectively for some period
Qualifications in opinionAuditor could not fully verify controls
”Complementary user entity controls”Your organisation must implement specific controls for the provider’s SOC to be valid
Report date > 12 months oldReport is likely stale — SOC reports are typically valid for 12 months
Scope excludes critical servicesImportant systems were not in scope