Which SOC report is right for you?

SOC 2 reporting – assess wider IT-related or compliance risk concerns 

A SOC 2 report is a more expansive report focusing on controls relevant to AICPA Trust Service Principles. Unlike a SOC 1, which focuses on ICFR and financial data, a SOC 2 report is applicable to any service organization. It can be used to provide assurance over both an organization’s services and how sensitive customer information is secured. 

Here’s a breakdown of the SOC 2 report: 

• Primary users: Customers’ vendor management function, to support program requirements 
• Focus: Internal controls over systems and data 
• Scope: Controls to meet one or more Trust Services Criteria 
• Objective: Can address wider IT-related concerns, including: 
  • Security of systems and data 
  • System availability and data recoverability 
  • Processing integrity and accuracy (includes nonfinancial data) 
  • Safeguards to protect sensitive data 
  • Data privacy: collection, use, and disclosure of personally identifiable information 

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.  

SOC 2+ reporting – enhanced reporting and additional industry frameworks 

A SOC 2+ report is an enhanced SOC 2 report that can demonstrate compliance within a relevant risk management framework. Service organizations often are required to confirm compliance with different control frameworks based on the industry in which they operate. Because of the overlap of SOC 2 controls with many existing frameworks, adding a second framework typically increases the examination scope by only 15% to 50%. Examples of industry frameworks include: 

• The National Institute of Standards and Technology’s Cybersecurity Framework 
• Cloud Security Alliance (CSA) Cloud Controls Matrix  
• Health Information Trust Alliance Common Security Framework (HITRUST CSF^®)
• Health Insurance Portability and Accountability Act (HIPAA) Security Rule 
• Committee of Sponsoring Organizations of the Treadway Commission (COSO) frameworks 
• International Organization for Standardization (ISO) 27001 

Here’s a breakdown of the SOC 2+ report: 

• Primary users: Customers’ vendor management function, to support program requirements 
• Focus: Demonstrate compliance within your risk management framework 
• Scope: SOC 2 Trust Services Criteria and second industry framework 
• Objective: Offers a deliverable SOC 2 report, covering both frameworks, that includes: 
  • Opinion on control design and effectiveness over a period 
  • Description of controls 
  • Control test procedures and results 

Some of the benefits and advantages to SOC 2+ over a traditional SOC 1 or SOC 2 report are: 

• For report users 
  • More in-depth information and reporting than SOC 2 
  • Greater coverage for vendor risk assessments and questionnaires 
  • Greater assurance from evaluation against two frameworks 
  • Supported by an independent auditor’s opinion 
• For service organizations 
  • Single audit experience 
  • Highlighted control maturity and depth 
  • Additional technical or industry-specific coverage 
  • Reduced time to manually respond to customer requests 
  • Single report deliverable to distribute 
• Compatible with many existing frameworks 

While there are a variety of SOC2+ frameworks, these are four of the most commonly used: 

• HIPAA Security Rule – security standards to protect personal health information 
  • Demonstrates HIPAA compliance for management, customers, and regulators 
  • Resonates with healthcare customers  
• ISO 27001* – global information security standard 
  • Demonstrates ongoing management and improvement of information security program 
  • Resonates with international customers and within technology industry 
• HITRUST CSF* – comprehensive information protection framework 
  • Highlights more in-depth technical safeguards 
  • Resonates with healthcare customers 
• CSA Cloud Controls Matrix* – security standards for cloud providers 
  • Tailored to cloud computing risks and practices 
  • Acknowledges and addresses specific security risks for cloud providers 

*These frameworks do not provide certification. 

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.  

SOC 3 reporting – general reporting for widespread distribution

A SOC 3 report is a more general form of a SOC 2 report, designed to assure users about controls without the level of detail typically included in a SOC 2 report. Because it’s widely distributed, it’s often used for marketing purposes.  

Here’s a breakdown of the SOC 3 report: 

• Primary users: Prospective customers and public audience  
• Focus: Cases where control and testing details are not needed; contains potentially less sensitive information about a service organization’s IT environment and security 
• Scope: General use reports that can be distributed freely on a public website, client extranet, or governance portal 
• Objective: Covers controls related to privacy, security, processing integrity, confidentiality, or availability 

Looking for help deciding which report is best for you? Contact our team for a more in-depth, personalized consultation.