Which SOC report is right for you?

The basics of SOC reporting – evaluate your organization and service providers with accuracy

What is a SOC report, and why do I need one?

System and Organization Controls (SOC) reports provide an independent evaluation of relevant systems and controls, giving you a professional and objective review of your business (overall or in a specific area, depending on the report type). These reports can help your stakeholders (customers, shareholders, and regulators) have confidence in your processes and procedures. Plus, they can help you identify organizational gaps, needed efficiencies, and areas of improvement. A variety of SOC reporting types exist, each used to measure different aspects of your organization.

What are the different types of SOC reports?

SOC 1: This reports on internal controls that affect the user entities’ financial reporting (internal control over financial reporting, or ICFR) process or SOX 404 key controls.
SOC 2: This provides detailed information about how various IT risks are addressed, using the American Institute of CPAs (AICPA) Trust Services Criteria categories: security, availability, confidentiality, processing integrity, and privacy. This report can play an important role in the oversight of an organization, vendor management programs, internal corporate governance, and risk management processes.
SOC 2+: This demonstrates compliance with the same Trust Services Criteria as a SOC 2, as well as a second, industry-recognized framework selected by the service organization. A SOC 2+ report can be an effective tool to show the depth and maturity of an organization’s information security practices and programs.
SOC 3: This report’s scope and supporting examination procedures are the same as for a SOC 2. By contrast, the report deliverable is designed for general use and can be more widely distributed than a SOC 2.

As you can see, a wide variety of SOC reports exists. Which report is best for you will depend on the services you provide as well as the potential risks and focus areas of your customers and report users.

Crowe is organized, prepared, and well informed. They strive to provide the best customer service and are always ready to assist.

Josh Miller

CEO

KeyState Captive Management LLC

Looking for help deciding which report is best for you? Check out our SOC reporting guide feature below for further assistance, or contact our team for a more in-depth, personalized consultation.

Click the yellow button below to launch our SOC reporting guidance and find out which report is right for you.

SOC 1 reporting

SOC 2 reporting

SOC 2+ reporting

SOC 3 reporting

SOC 1 reporting

SOC 1 reporting – assess the reliability of your financial data

A SOC 1 report is an independent report on internal controls that affect the user entities’ ICFR. Here’s a breakdown of the SOC 1 report:

Primary users: Users of the system and user auditors (to support financial statement audits)
Focus: ICFR
Scope: Controls to meet organization-defined control objectives
Objective: Address customers’ risks related to ICFR typical coverage areas:
- Account setup and maintenance
- Transaction processing
- System and data integrity (IT general controls)
- Report outputs

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.

SOC 2 reporting

SOC 2 reporting – assess wider IT-related or compliance risk concerns

A SOC 2 report is a more expansive report focusing on controls relevant to AICPA Trust Service Principles. Unlike a SOC 1, which focuses on ICFR and financial data, a SOC 2 report is applicable to any service organization. It can be used to provide assurance over both an organization’s services and how sensitive customer information is secured.

Here’s a breakdown of the SOC 2 report:

Primary users: Customers’ vendor management function, to support program requirements
Focus: Internal controls over systems and data
Scope: Controls to meet one or more Trust Services Criteria
Objective: Can address wider IT-related concerns, including:
- Security of systems and data
- System availability and data recoverability
- Processing integrity and accuracy (includes nonfinancial data)
- Safeguards to protect sensitive data
- Data privacy: collection, use, and disclosure of personally identifiable information

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.

SOC 2+ reporting

SOC 2+ reporting – enhanced reporting and additional industry frameworks

A SOC 2+ report is an enhanced SOC 2 report that can demonstrate compliance within a relevant risk management framework. Service organizations often are required to confirm compliance with different control frameworks based on the industry in which they operate. Because of the overlap of SOC 2 controls with many existing frameworks, adding a second framework typically increases the examination scope by only 15% to 50%. Examples of industry frameworks include:

The National Institute of Standards and Technology’s Cybersecurity Framework
Cloud Security Alliance (CSA) Cloud Controls Matrix
Health Information Trust Alliance Common Security Framework (HITRUST CSF^®)
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
Committee of Sponsoring Organizations of the Treadway Commission (COSO) frameworks
International Organization for Standardization (ISO) 27001

Here’s a breakdown of the SOC 2+ report:

Primary users: Customers’ vendor management function, to support program requirements
Focus: Demonstrate compliance within your risk management framework
Scope: SOC 2 Trust Services Criteria and second industry framework
Objective: Offers a deliverable SOC 2 report, covering both frameworks, that includes:
- Opinion on control design and effectiveness over a period
- Description of controls
- Control test procedures and results

Some of the benefits and advantages to SOC 2+ over a traditional SOC 1 or SOC 2 report are:

For report users
- More in-depth information and reporting than SOC 2
- Greater coverage for vendor risk assessments and questionnaires
- Greater assurance from evaluation against two frameworks
- Supported by an independent auditor’s opinion
For service organizations
- Single audit experience
- Highlighted control maturity and depth
- Additional technical or industry-specific coverage
- Reduced time to manually respond to customer requests
- Single report deliverable to distribute
Compatible with many existing frameworks

While there are a variety of SOC2+ frameworks, these are four of the most commonly used:

HIPAA Security Rule – security standards to protect personal health information
- Demonstrates HIPAA compliance for management, customers, and regulators
- Resonates with healthcare customers
ISO 27001* – global information security standard
- Demonstrates ongoing management and improvement of information security program
- Resonates with international customers and within technology industry
HITRUST CSF* – comprehensive information protection framework
- Highlights more in-depth technical safeguards
- Resonates with healthcare customers
CSA Cloud Controls Matrix* – security standards for cloud providers
- Tailored to cloud computing risks and practices
- Acknowledges and addresses specific security risks for cloud providers

*These frameworks do not provide certification.

The Crowe team is experienced and extremely helpful. They understand regulatory standards and candidly and professionally communicate what is needed.

Derek Ross

Chief Administrative Officer

RiskSpan Inc.

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.

SOC 3 reporting

SOC 3 reporting – general reporting for widespread distribution

A SOC 3 report is a more general form of a SOC 2 report, designed to assure users about controls without the level of detail typically included in a SOC 2 report. Because it’s widely distributed, it’s often used for marketing purposes.

Here’s a breakdown of the SOC 3 report:

Primary users: Prospective customers and public audience
Focus: Cases where control and testing details are not needed; contains potentially less sensitive information about a service organization’s IT environment and security
Scope: General use reports that can be distributed freely on a public website, client extranet, or governance portal
Objective: Covers controls related to privacy, security, processing integrity, confidentiality, or availability

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.

Why Crowe?

You have so many choices when it comes to SOC reporting – but one of the most important decisions you can make is choosing the right team for your organization. With a combination of expertise, agility, and responsiveness, Crowe offers:

An experienced team that:
- Serves more than 100 SOC clients and performs more than 200 SOC reports per year
- Customizes an auditing approach for your organization’s requirements
- Provides accelerated and on-time reporting
- Includes industry knowledge specialists selected for each engagement
Direct senior leadership access and participation during the engagement

The Crowe team clearly enjoys what they do. When compared to other audit firms I have worked with, Crowe’s work product outperforms. I have found Crowe to be responsive, timely, and knowledgeable.

Vince Scardina

Chief Financial Officer

Lentegrity LLC

Dedicated IT assurance teams (focused solely on AICPA requirements), who are collaborative and comfortable with relevant frameworks and standards
A “no-surprise” approach that keeps you informed of our findings throughout the process
Efficiency when providing multiple solutions, with the on-staff expertise to meet all your IT assurance needs (SOC, payment card industry, HITRUST, and more)

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.