Almost a decade after Service Organization Controls (SOC) were introduced, there is still confusion over the variety and contexts of SOC audits. On the surface there are three kinds of SOC reports, and within them two types.
If some critical or high-risk vendors provide a SOC 1 and others give you SOC 2 or even SOC 3, how can you know the difference? And how do you know when and why to use each one?
The Differences Between SOC 1, 2 and 3
A SOC 1 audit is a confidential report that details the effectiveness of internal controls at a third-party vendor that may be relevant to their client’s internal control over financial reporting.
SOC 1 audits can be a Type 1 – that focus on a vendor’s controls, and Type 2 – that test the design and operating effectiveness of key internal controls over a period, usually no shorter than 6 months.
The SOC 1 audit is based on the SSAE 18 standard, a new auditing standard with a broader scope that includes key insight into fourth parties.
A SOC 2 audit evaluates internal controls, policies and procedures that directly relate to the security of systems at third and fourth-party vendors. The SOC 2 is a confidential report that determines vendor compliance with the Trust Services Criteria:
- Processing integrity
A SOC 3 report is also based on the Trust Services Criteria. It can be freely distributed and is not confidential. A SOC 3 does not give a description of the service organization’s system. Instead, it provides a summary of the auditor’s report.
VendorInsight® is a Single Source of Truth
SOC reports can be anywhere from 50 to 250 pages. If you don’t have the expertise or time to review, understand and substantiate the massive findings from your SOC reports, VendorInsight® can do it for you.
When you work with us, VendorInsight® reviews SOC control audit reports per your organization’s submission to us or by requesting them directly from the vendor. As these are private and confidential documents, we request and receive each SOC under an open Letter of Authorization from your organization.
Our team then provides a final report which summarizes the risk analysis and findings. The report also contains a separate segment that identifies the Complementary User Entity Controls (CUEC) and Complementary Service Organization Controls (CSOC) for integration and validation with your internal organization controls.
As part of working with VendorInsight, you receive a single source of reference, with everything you need in one place. The VendorInsight® evaluation and final report, your documented review of our findings and attestation to complementary controls and the vendor’s documents are uploaded into VendorInsight® into your electronic vendor folders.
When considering which reports from your third and fourth-party vendors fit your organization’s needs, you must first understand the different types of SOC audits.
For more on the differences between SOC 1, 2 and 3, including insights from VendorInsight® experts, read our white paper SOC 1, 2 or 3: What’s the Best for You?