SOC Reporting Services

The SOC 1 report helps your customers (report users) understand how your internal controls (the service organization) impact their own internal controls over financial reporting.

SOC 1 reports do not have a uniform set of control objectives or controls, as each report is designed to be specific to the services provided by the service organization and what matters most to its customers.

What Are SOC 1 Reports Used For?

SOC 1 reports are appropriate for service organization companies whose users/customers rely upon them for some aspect of their own financial reporting process, such as outsourced payroll processing, investments, billing, payables, collections, benefits administration, etc.

The SOC 2 report demonstrates the control environment over information security, providing current and prospective customers (user entities) with information about controls at the service organization to support users’ evaluations of their third-party vendor risk. It is appropriate for companies whose customers desire assurance that their data will be protected and that they can rely upon your services.

These reports follow the AICPA’s Trust Services Criteria, which is a framework of high-level objectives divided into five categories of criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The categories included in a SOC 2 report are selected based on the relevance to the organization’s service commitments and system requirements to its users. While the criteria are prescriptive in SOC 2, the controls designed to meet those criteria are specific and unique to each organization.

What Are SOC 2 Reports Used For?

SOC 2 reports are appropriate for service organizations that provide technology or cloud-based services where data security, availability, processing integrity, confidentiality, or privacy are important to their customers. For software companies, achieving SOC 2 compliance can enhance their reputation by proving a commitment to robust security practices, which is beneficial even if they do not handle sensitive client data. It also helps prepare for potential growth, address client requirements, and mitigate operational risks.

SOC 2+ reporting builds upon the standard SOC 2 framework by integrating additional compliance requirements and security frameworks into a single unified report. Starting with the SOC 2 Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy—SOC 2+ allows organizations to layer in controls from other standards such as ISO 27001, NIST SP 800-53, HIPAA, HITRUST, GDPR, and more. This comprehensive approach enables organizations to meet complex and diverse regulatory and customer demands efficiently without undergoing multiple separate audits.

What Are SOC 2+ Reports Used For?

SOC 2+ is ideal for organizations facing increasing regulatory complexity and customer expectations, allowing them to efficiently demonstrate comprehensive compliance and security practices through a single, consolidated report, which brings the opportunity for efficiency and cost savings.

SOC 3 reporting is a public-facing, high-level summary of a SOC 2 Type 2 audit that evaluates an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. Unlike SOC 2 reports, which are detailed and intended for restricted audiences under nondisclosure agreements, SOC 3 reports omit sensitive technical details and are designed for broad public distribution.

What Are SOC 3 Reports Used For?

SOC 3 are used by organizations to publicly showcase their strong commitment to data security and compliance without disclosing potentially sensitive details in the SOC 2 report or managing requests and NDAs.

The SOC for Cybersecurity report demonstrates an organization’s cybersecurity risk management efforts. It is appropriate for companies that want to provide assurance that the appropriate tools, processes, and controls are in place to manage a cyber-attack. This report can be distributed to an organization’s senior management, board, analysts, investors, and business partners.

Unlike the SOC for Service Organizations reports (SOC 1, SOC 2, SOC 3), the SOC for Cybersecurity report is not focused solely on service organizations; any enterprise can choose to have a SOC for Cybersecurity examination performed.

The control criteria covered by a SOC for Cybersecurity report are flexible and can be any suitable framework meeting certain criteria, such as:

• SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality
• NIST Cybersecurity Framework
• ISO 27001

What Are SOC For Cybersecurity Reports Used For?

• Independent Validation of Your Cybersecurity Diligence: Customers, partners, investors, and internal stakeholders don’t simply have to take your word for it.
• Competitive Advantage: As SOC for Cybersecurity is a relatively new examination, few competitors will be capable of producing a report affirming their cybersecurity practices. These reports are for general use, so you can distribute them at your discretion without restrictions.
• Enhanced Position Against Data Breaches: With a SOC for Cybersecurity report, you reassure external stakeholders of your organization’s sound practices while proactively educating and enhancing internal processes before potential issues arise.

Agreed-upon procedures (AUP) are a specialized type of engagement where an auditor performs specific procedures agreed upon with the client or other designated parties. Unlike traditional audits, AUP engagements do not provide a broad opinion. Instead, they focus on fact-finding by executing targeted tests or reviews on particular areas, processes, or transactions and reporting the factual results without drawing conclusions.

The benefits of agreed-upon procedures include high flexibility, as the scope and nature of work are customized to address precise objectives defined by the client, making it a cost-effective and efficient alternative to full audits.

What Are AUPs Used For?

AUPs are ideal for situations needing independent verification without a comprehensive audit, such as due diligence in mergers and acquisitions, internal control testing, or compliance assessments. Additionally, the factual nature of AUP reports helps clients and stakeholders make informed decisions based on detailed, objective findings while limiting exposure to assumptions or interpretations.

The SOC for Supply Chain report is for producers, manufacturers, and distributors and provides specified users with information about the controls within the entity’s system relevant to security, availability, processing integrity, confidentiality, or privacy, enabling users to better understand and manage the risks arising from business relationships with their suppliers and distribution networks. This report will identify, evaluate, and mitigate risks that can disrupt your operations or operations of your vendors, and also provide information on your production, manufacturing, or distribution system.

SOC for Supply Chain reports follow the AICPA’s Trust Services Criteria, similar to SOC 2, which is a framework of high-level objectives divided into five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The categories are selected based on the relevance to the organization’s principal system objectives. While the criteria are prescriptive, the controls designed to meet those criteria are specific and unique to each organization.

What Are SOC For Supply Chain Reports Used For?

• Independent Validation of Your Cybersecurity Diligence:  Customers, partners, investors, and internal stakeholders don’t simply have to take your word for it.
• Competitive Advantage: As SOC for Cybersecurity is a relatively new examination, few competitors will be capable of producing a report affirming their cybersecurity practices.
• Enhanced Position Against Data Breaches: With a SOC for Supply Chain report, you reassure external stakeholders of your organization’s sound practices while proactively educating and enhancing internal processes before potential issues arise.  

A SOC report is an independent assessment of your controls, empowering trust by validating operational integrity for stakeholders and customers.

It is required for SOC 1 reports to be completed by an external auditor from a licensed CPA firm.

SOC compliance means meeting standards for controls, but should not be confused with a SOC report, which contains an opinion from a licensed and independent service auditor.

A SOC report builds trust, showing customers and regulators your controls are effective, supporting compliance, and driving growth.

SOC 1 reports are appropriate for service organization companies whose users/customers rely upon them for some aspect of their own financial reporting process, such as outsourced payroll processing, investments, billing, payables, collections, benefit administration, etc.

Businesses impacting clients’ financial reporting, like payroll providers, rely on SOC 1 reports to satisfy the requirements of their own financial auditors.

The SOC 2 (System and Organization Controls 2) report is an independent assessment that evaluates the effectiveness of a service organization’s controls with respect to the AICPA’s Trust Services Criteria (security, availability, processing integrity, confidentiality, and/or privacy). This report provides assurance to clients and stakeholders that the organization has established and maintained proper controls to safeguard their data and ensure the reliability of its services.

Tech firms and data handlers need SOC 2 compliance to prove security and privacy controls to their customers.

Get Ready

During this initial step, GBQ will work with you to define the scope and boundaries of the system being audited. Our team will conduct interviews to guide management through the process of identifying and selecting relevant controls that meet the applicable trust services criteria. We will then assess if any control gaps need to be remediated and provide guidance in writing a system description (a key element of the SOC report!). This process is very hands-on and is where you will determine what services should be included in the SOC examination. This will also identify weak areas that would benefit from adding or modifying controls. The primary outcome of the readiness phase is your gap assessment, or list of specific action items that need to be addressed before starting your first SOC examination.

Remediation

Following the readiness assessment, time and effort are required to remediate any identified control gaps. Our team can be as involved in the process as you desire. At the very least, we prefer to check in with you regularly through this phase so we can provide you with guidance and input while you work through action items.

A SOC 1 focuses on financial reporting controls; SOC 2 ensures data security, addressing broader Trust Services Criteria for stakeholders.

SOC 1 and SOC 2 reports are restricted-use, but SOC 3 reports are shareable, offering transparency for all audiences.

A SOC 3 report is a publicly available summary of a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy, providing assurance to a wide audience about their data protection practices.

The SOC 3 report, similar to SOC 2, provides interested parties with a service auditor’s opinion about the effectiveness of controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

While the SOC 3 is similar to a SOC 2 report in the subject matter included, it is the report that differs. A SOC 3 report does not include the specific controls in place, testing procedures, or test results, and the narrative system description is significantly condensed to a description of services offered. Additionally, the report contains a condensed independent auditor’s opinion, management’s assertion, and system description. The SOC 3 report is permitted to be freely distributed and posted on your website.

No additional work is required on your end if you already have a SOC 2 Type 2 examination. This additional deliverable can be added at the same time as a SOC 2 Type 2 report. If you already have a SOC 2 Type 2 examination, no further effort is needed on your part. This additional deliverable can be incorporated.

SOC audit costs vary by scope. A reputable CPA and business advisory firm can tailor solutions to your needs.

A SOC examination typically spans 3–12 months, depending on scope, ensuring thorough insights for your business growth.

Type 1 Report

The SOC 1 Type 1 report is a full report including the independent auditor’s opinion, but it is performed as of a specific date and includes only the testing of the design and implementation of controls as of that date. This is the best place to start for first-time SOC candidates because it can be issued as soon as controls are identified to be implemented, much sooner than waiting for a Type 2 period to pass. The Type 1 examination is also a good “dry run” test of the organization’s ability to gather the needed documentation to support the auditing of controls before the specific results of those tests will be included in the report.

Type 2 Report

At least six months after your initial SOC 1 Type 1 report, and not more than 12 months after, a SOC 1 Type 2 report can be issued. The primary difference between the Type 2 and Type 1 engagement is that the operating effectiveness of the controls in place over a period of time is tested in a Type 2 engagement through sampling across the entire audit period, and the testing results are presented in the report.

A SOC report includes an auditor’s opinion, control descriptions, and test results, offering clarity on your operational integrity.

A SOC examination should be conducted annually to maintain trust and ensure your controls consistently meet stakeholder and regulatory expectations.

Yes. A SOC report streamlines compliance, addressing multiple customer inquiries with one comprehensive, trusted assessment of your controls.