SOC Report

A SOC (System and Organization Controls) report is an independent attestation report issued by a licensed CPA firm that evaluates the design and operating effectiveness of a service organization's controls. SOC reports are governed by the AICPA and have become the standard for demonstrating security and compliance to customers, partners, and regulators.

Types of SOC Reports

SOC 1 (SSAE 18) — Evaluates controls relevant to the financial reporting of the service organization's customers. Relevant when the service affects customer financial statements (payroll processors, financial SaaS platforms).

SOC 2 — Evaluates controls against the Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). The most common report for technology and SaaS companies.

SOC 3 — A general-use version of the SOC 2 report suitable for public distribution. Contains the auditor's opinion but not the detailed control descriptions and test results.

Type I vs. Type II

• Type I — Evaluates the design of controls at a specific point in time. Useful as a first step but provides limited assurance.
• Type II — Evaluates the design and operating effectiveness of controls over a period (typically 6-12 months). Provides significantly stronger assurance and is what most customers require.

What a SOC 2 Report Contains

1. Independent auditor's report — The CPA firm's opinion on whether controls are fairly described and operating effectively
2. Management's assertion — Management's statement about the system and controls
3. System description — Detailed description of the services, infrastructure, software, people, and data in scope
4. Control activities and test results — Each control listed with the auditor's test procedures and results
5. Complementary user entity controls (CUECs) — Controls that the customer must implement for the system to be fully effective

Why It Matters

SOC 2 reports are the lingua franca of vendor security assessment in the technology industry. Enterprise customers routinely request SOC 2 reports during procurement, and the absence of one can be a deal-blocker. The report provides independent, third-party evidence that your security controls actually work — not just that you claim they do.