Which SOC Audit is Right for You?

Service Organizations

Many entities outsource aspects of their business activities to service organizations. A "service organization" is AICPA-speak for a third party that provides outsourcing services to its customers. The services can range from completing a single task to performing the activities of an entire business unit or function. Often, outsourcing occurs because the service organization is able to accomplish these tasks or business functions more efficiently or effectively and often at lower cost than the entity could achieve internally. Service organizations include SaaS companies, data center and cloud service providers, payment card processors, healthcare claims processors, etc.

What are SOC Audits?

When outsourcing involves the service organization taking responsibility for some portion of the entity’s business or information technology processes and the related internal controls, and especially when the service organization receives and safeguards sensitive data belonging to the entity, a SOC audit may be in order. “SOC” stands for “Service Organization Control” and a SOC audit is a report on controls at a service organization that are relevant to the user entity. (More AICPA-speak: The entities that use the services of a service organization are termed user entities.)

Which SOC Audit is Right for You?

All too frequently, service organizations are told by a prospective customer that they must provide a SOC 1, SOC 2 or proof of HIPAA compliance before the prospective customer can give them their business. And, unless a service organization is educated regarding SOC reports, they’re not in a position to push back if the prospective customer demands the wrong report. The table below provides high-level guidance concerning the matching of user entity needs (and their independent auditor’s needs) to the appropriate SOC report.

The SOC 1, SOC 2 and SOC 3 reports are described below and are more fully described on the Services page of our website.

SOC 1 Report

These reports are intended to meet the needs of entities that use service organizations (user entities) and the service auditors who audit the user entities’ financial statements (user auditors) when evaluating the effect of controls at the service organization on the user entities’ financial statements. User auditors use these reports to plan and perform audits of the user entities’ financial statements.

SOC 2 Report

These reports are intended to meet the needs of a broad range of users who need information and assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems that the service organization uses to process users’ data or the confidentiality or privacy of the information processed by these systems. Examples of stakeholders who may need these reports are management or those charged with governance of the user entities and service organization, customers or suppliers of the service organization, regulators, business partners, and others who have an understanding of the service organization and its controls.

SOC 3 Report

These reports are designed to meet the needs of a wider range of users who need assurance about controls at a service organization that affect the security, availability, or processing integrity of the systems used by a service organization to process users’ information, or the confidentiality or privacy of that information, but do not have the need for or knowledge necessary to effectively use a SOC 2 report. Because they are general-use reports, SOC 3 reports can be freely distributed or posted on a website.

Please contact us if you have questions about SOC audits, HIPAA audits or related advisory services or wish to obtain a quote.