The difference: SOC 1 vs SOC 2 vs SOC 3

The difference between SOC 1,SOC 2 and SOC 3 can be confusing. Users of service organizations, and management of service organizations, need to be very clear on the functions and uses of these reports.

Key points to remember: these reports all apply to Service Organizations that provide outsourced services to users, and SOC reports evaluate the controls service organizations have in place and how they affect user needs. See examples of Service Organizations and how SOC may apply to them here.

Headline Differences SOC 1, SOC 2 and SOC 3

These three reports replaced SAS 70 in 2011 and are designed to meet wider user needs. It may help to look at SOC Reports Evolution which sets out the history of the reports.

Report How an outsourced service organization’s controls affect:
SOC 1 The user organization’s internal control over financial reporting
SOC 1 reports assess the financial reporting impacts on a user organization from outsourcing. These were previously audited under SAS 70. Includes an opinion on control design at a point in time (Type 1) or design and effectiveness over a period (Type 2).Focus: Service organization’s internal controls that support a user’s control over financial reporting.Report Audience: From the SOC-auditor to Service Organization Management/User Organization/User Financial auditor

Relevant for: Focuses on financial reporting risks, so it is most relevant for outsourced financial processing or support.

Technical

Performed under AICPA standard SSAE16 guided by Attestation Standard AT 801.

The equivalent international standard with minor differences is ISAE3402.

Key guidance in AICPA Guide Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1)

AICPA Technical Practice Aid on SOC 1 and SSAE 16 Reports – TIS_Section_9520 (Nov 2011)

See SOC 2 Resources and Links

SOC 2 The user organization’s information security, availability, processing integrity, confidentiality and/or privacy
Detailed assessment of a service organization’s operational controls based on Trust Services Principles-Criteria that provides assurance beyond financial reporting. Includes an opinion on control design at a point in time (Type 1) or design and effectiveness over a period (Type 2). Go here for an explanation of Trust Principles, Criteria and Controls.Focus: Non-financial operational controls supporting an outsourced system’s:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy.

Report Audience: Restricted-use report from the SOC-auditor to Service Organization Management/User Organization/User IT auditor, and others who understand internal control.

Relevant for: Range of outsourced IT systems and services. Principles chosen for audit depend on the type of services offered.

Key Uses:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Technical

Performed under AICPA TSP Section 100 guided by Attestation Standard AT 101.

Key guidance in AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (2013)

AICPA Technical Practice Aid on SOC Reports – TIS_Section_9530 (Nov 2011)

See SOC 2 Resources and Links

SOC 3 The user organization’s information security, availability, processing integrity, confidentiality and/or privacy
A less-detailed subset of a SOC2 report, excluding specific tests and results. Opinion on effectiveness and general information for anyone, freely usable in marketing. If a SOC 3 report is unqualified (all criteria have appropriate controls and have been tested), then the service organization can use the SOC 3 seal.Report Audience: It is a general use, short report for general and marketing distribution. No detailed knowledge of internal control is required.Relevant for: All IT outsourcing organizations that want to reassure prospective customers about their operational controls, particularly security and availability of service. Also for prospective customers and non-technical managers who want to get a general sense of how strong the controls are in a vendor organization.

Technical

Performed under AICPA TSP Section 100 guided by Attestation Standard AT 101.

If the Service Organization has sub-service providers, they must be audited to gain SOC 3. It is possible to carve out sub-service providers for SOC 2, but not for SOC 3.

If any Criteria are not met, the Service Organization cannot display a SOC 3 seal until they are remediated and re-audited.

If all specified Criteria are met the Service Organization can also display SysTrust for Service Organizations Seal.

 

Source Documents on the Differences

AICPA page on the difference between the reports

Core links and downloadable documents are available on the SOC 2 Resources & Links page. See in particular AICPA Information for Management of a Service Organization.