17.3 SOC 1, SOC 2, SOC 3, and Cybersecurity Reports
Key Takeaways
- Area III, Considerations for SOC Engagements, is 15-25% of the ISC score and covers report purposes, users, assertions, criteria, and report type.
- SOC 1 reports address service-organization controls relevant to user entities' internal control over financial reporting (ICFR).
- SOC 2 reports address controls relevant to security, availability, processing integrity, confidentiality, or privacy under the 2017 Trust Services Criteria.
- SOC 3 reports cover similar Trust Services Criteria subject matter as SOC 2 but are general-use reports without detailed test results.
- Type 1 reports address design as of a date; Type 2 reports add operating effectiveness over a period, and SOC for Cybersecurity reports on an entity-wide program.
Why SOC Reports Matter on ISC
The ISC Blueprint devotes Area III, Considerations for System and Organization Controls (SOC) engagements, at 15-25% of the score to this material, and SOC concepts also surface in Areas I and II. The discipline does not ask you to perform a complete engagement from memory. It expects a newly licensed CPA to understand report purposes, intended users, management assertions, planning issues, system descriptions, the Trust Services Criteria, complementary controls, exceptions, and reporting effects.
SOC engagements are attestation engagements performed under AICPA standards (SSAEs), with SOC 1 under AT-C 320 and SOC 2 under AT-C 105 and 205.
Report Comparison
| Report | Subject matter | Typical users | Distribution |
|---|---|---|---|
| SOC 1 | Controls relevant to user entities' ICFR | User entities and their financial-statement auditors | Restricted use |
| SOC 2 | Controls relevant to security, availability, processing integrity, confidentiality, or privacy | User entities, partners, regulators, and others with sufficient knowledge | Restricted use |
| SOC 3 | Similar Trust Services Criteria subject matter as SOC 2, summarized | Broad public audience | General use |
| SOC for Cybersecurity | Entity-wide cybersecurity risk-management program and controls | Boards, management, investors, analysts, partners | Per engagement terms |
A SOC 1 report is the right answer when outsourced services could affect a user's financial statements. Payroll processors, claims processors, loan servicers, and transaction processors all have controls relevant to user entities' ICFR. A user auditor may use a SOC 1 Type 2 report to plan the nature, timing, and extent of audit procedures, but still evaluates relevance and complementary user-entity controls.
A SOC 2 report is the right answer when the issue is trust services. Management identifies service commitments and system requirements, describes the system, and asserts whether controls were suitably designed and (for Type 2) operated effectively. The Trust Services Criteria use security as the mandatory common criteria aligned with the COSO framework, plus additional criteria when availability, processing integrity, confidentiality, or privacy is in scope. The current standard is the 2017 Trust Services Criteria with revised points of focus issued in 2022.
A SOC 3 report covers the same Trust Services Criteria subject matter as SOC 2 but is a general-use report that omits detailed test procedures and results. It supports marketing and public trust, but a customer doing vendor-risk diligence usually requests the SOC 2.
A SOC for Cybersecurity report is broader in a different way: it reports on an entity's cybersecurity risk-management program, not necessarily a defined service-organization system used by customers. Think enterprise-program communication rather than a service-system report.
Type 1 and Type 2
- Type 1 addresses whether the system description is fairly presented and whether controls are suitably designed as of a specified date.
- Type 2 adds whether controls operated effectively throughout a specified period (commonly 6 or 12 months), and includes the auditor's tests and results.
If a question asks whether a control actually operated for six months, Type 2 is relevant. If it asks only about design at a point in time, Type 1 is enough.
Assertions, Criteria, and Independence
Management is responsible for the system, the description, the assertion, and the controls. The service auditor evaluates the subject matter using suitable criteria and must be independent of the service organization. Subservice organizations create additional independence and scope considerations, especially under the inclusive method.
The Five Trust Services Categories
SOC 2 and SOC 3 are built on the 2017 Trust Services Criteria. You must know all five categories and what each addresses, because the stem usually signals which one applies.
| Category | What it evaluates |
|---|---|
| Security (Common Criteria) | Protection of the system against unauthorized access; mandatory in every SOC 2 |
| Availability | Whether the system is available for operation and use as committed (uptime, capacity, recovery) |
| Processing Integrity | Whether processing is complete, valid, accurate, timely, and authorized |
| Confidentiality | Whether information designated confidential is protected as committed |
| Privacy | Whether personal information is collected, used, retained, disclosed, and disposed of per the privacy notice |
Security is the only mandatory category; the other four are optional and selected based on the service organization's commitments. A streaming platform stresses availability; a payment processor stresses processing integrity; a document-storage vendor stresses confidentiality.
Worked Scenario: Selecting the Report
A prospective customer is evaluating a cloud-based loan-servicing platform whose calculations feed directly into the customer's general ledger and financial statements. The customer's external auditor needs evidence over a full fiscal year. The right answer is a SOC 1 Type 2 report, because the platform's controls affect the customer's internal control over financial reporting and the auditor needs operating-effectiveness evidence across a period. If the same customer's security team separately wanted assurance over the platform's data-protection controls, it would request a SOC 2 report. A single vendor often issues both.
Exam Approach
Read the user need first. Financial-statement auditor needing ICFR evidence: SOC 1. User needing detailed trust-services controls: SOC 2. Report meant for public distribution: SOC 3. Subject is enterprise cybersecurity risk management: SOC for Cybersecurity. Then read for the time element: "as of a date" points to Type 1, while "throughout the period" points to Type 2.
A user auditor needs evidence about a payroll processor's controls over payroll transactions that affect the user entity's financial statements. Which report is most directly relevant?
A cloud hosting provider wants a broadly distributable report that summarizes its security and availability controls without detailed test results. Which SOC report best fits?