United States

Effective SOC reporting

Understanding the right options for your organization


Download white paper

Service organizations have multiple third-party reporting options, leading to questions about which is the most effective way to communicate their control environment to users. The American Institute of CPAs (AICPA) developed service organization control (SOC) reports to communicate those controls, but organizations must understand which report to utilize to best help users determine the risks associated with outsourcing providers.

In addition to traditional SOC 1, 2 and 3 reports, the AICPA recently developed a SOC report for cybersecurity. This report is in response to growing pressure for service organizations to document and detail their controls and ability to detect and respond to evolving and emerging cybersecurity threats.    

The four SOC reports have distinctly different purposes, intended audiences, structure and control objectives. Consequently, understanding the purpose of each report is a key in determining which is most appropriate for a service organization:

  • SOC 1: Shows controls over financial reporting
  • SOC 2 and SOC 3: Shows controls over security, availability, processing integrity, confidentiality and privacy
  • SOC Cyber: Provides useful information about an entity’s cybersecurity risk management program

Service organizations have several considerations when choosing and executing the right SOC report. In addition to selecting the appropriate reporting option(s), organizations must also know how to properly prepare for a SOC attestation and understand the different types of SOC attestations.

While SOC reporting may seem like a complex initiative, it is necessary for businesses to understand and assess the control environments of business partners. Implementing steps to prepare for reporting helps to ensure that the process is efficient and accurate and the right reports are chosen.   


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.